Managing Security for a Mobile Device BYOD Policy
The use of technology in the healthcare setting continues to rise. A recent survey conducted by Epocrates found that 86% of clinicians are using their smartphones for professional activities, and 53% of those clinicians are also using tablets. That same survey estimates that 9 out of 10 medical professionals will be using both tablets and smartphones for professional purposes by the end of 2014 (Epocrates, 2013).
As the adoption of tablets and other mobile devices in healthcare continues to rise, employers need to determine the most ideal method of implementation. When it comes to deploying tablets in a clinical environment, hospitals have three main options: pool the use of tablets within the workplace, corporate-owned, personally-enabled (COPE), and bring-your-own-device (BYOD).
At this point in time, BYOD appears to be the most popular choice among hospitals. A recent survey conducted by Aruba Networks reported that 85% of hospital-based IT professionals claim that their organization employs a BYOD strategy (iHealth Beat, 2012)). While BYOD certainly offers a lot of convenience for employees, there are many things that hospitals need to consider prior to introducing such a policy.
Security Considerations for a Mobile Device BYOD Policy
Likely the most important consideration prior to implementing tablets in a healthcare setting is security. Many healthcare professionals have concerns about private patient data walking in and out of the office on a regular basis. This inability to constantly monitor these mobile devices leads to a higher risk of theft, especially since many users do not have passwords protection on their tablets.
Managing this security concern also raises another issue around balancing company monitoring of personal property and maintaining healthy employment relationships. Developing a system to monitor or control the use of an employee’s personal device requires the company to walk a fine line between patient security and rights of ownership. Patient confidentiality is mutually understood between clinicians and employers, but the means of maintaining that confidentiality creates a bit of a gray area.
A company’s ability to manage this sensitive data with a BYOD policy is critical in case of a potential breach. Without a central management system, employers would be unable to assess any potential data breaches on a compromised device. Moreover, if a BYOD user is able to bypass corporate controls, their mobile devices may become susceptible to viruses and malware that could ultimately expose secure patient data (Phifer, 2013).
The Digital Services Advisory Group and Federal Chief Information Officers Council have attempted to address this issue by outlining three high-level means of managing BYOD security (Digital Government, 2012):
Virtualization: Put all computing resources in a centralized cloud system so that no data or corporate application processing is stored on a personal device.
Walled Garden: Locate all data or corporate application processing within a corporate controlled application on the personal device.
Limited Separation: Allow both personal data and corporate data to be accessed on a personal device with security policies in place to ensure that information controls are satisfied.
These three options all offer different levels of security. Choosing the option that makes the most sense for your company will depend on the sensitivity of your corporate data and your preexisting policies. Regardless of the option you take, managing security is a critical element of implementing tablets into your workplace.
About the Author
David Engelhardt has over 26 years of experience in software and hardware solutions development in healthcare and manufacturing, with a particular focus on mobile technologies. David is the founder and President of ReadyDock Inc. He is passionate and committed to providing safe, and workflow efficient methods to enable clinicians and patients to enhance care through the use of innovative technologies. In the small window of time when he is not working or spending time with his amazing wife and daughter, he spends his time playing USTA tennis, collecting vinyl records, and shaping music and sound in his recording studio.
References
Digital Government. (2012, August 23). Bring your own device. Retrieved from http://www.whitehouse.gov/digitalgov/bring-your-own-device
Epocrates. (2013). 2013 mobile trends report. Retrieved from http://www.epocrates.com/oldsite/statistics/2013 Epocrates Mobile Trends Report_FINAL.pdf
iHealth Beat. (2012, February 27). Survey: Many hospitals allow workers to use personal mobile devices. Retrieved from http://www.ihealthbeat.org/articles/2012/2/27/survey-many-hospitals-allow-workers-to-use-personal-mobile-devices
Phifer, L. (2013, January 28). Byod security strategies: Balancing byod risks and rewards. Retrieved from http://searchsecurity.techtarget.com/feature/BYOD-security-strategies-Balancing-BYOD-risks-and-rewards