Are BYOD Policies in Healthcare a Mistake?

What an age we live in. 

The omnipresent nature of smartphones in today’s modern society has led to the idea of “Bring Your Own Device (BYOD)” into the workplace. Simply, since everyone has one, let them use it at work for work purposes.

Just look around you. Everyone is walking around with an advance, mobile touchscreen computer in their pocket at all times. Want transport to the nearest bar after a night of dancing? Summon a vehicle through a ride-sharing app on your smartphone. Need to pay that bar tab? Touch your smartphone to the register to transfer funds directly from your bank account into the merchants’ account. In jail because you got into a fight as you left the bar? Sorry: you’re now stuck since the police confiscated your smartphone, and you don’t know how to use that antique, corded, push-button thing they shoved in front of you.

Businesses save some money and everyone’s happy, right? Or is BYOD a disaster waiting to happen? The short answer is “yes,” and to find out exactly why, read on.

Excellent for Offices (Just Not Medical Ones)

In theory, BYOD is an effective cost-cutting measure. Studies have shown this is especially true for industries that don’t have the budget for proper equipment like standalone telephones or real computers. BYOD has been known to boost morale and, when implemented properly, can increase communication. 

However, most of the studies that came to this conclusion looked at standard businesses. They did not factor in four unique issues prevalent in healthcare: security, liability, IT Support, and standards.

Personal Devices Are a Hornet’s Nest of HIPAA Violations (Security)

HIPAA stands for “Health Insurance Portability and Accountability Act”. Enacted into law in 1996 by President Bill Clinton, HIPAA made major updates to how healthcare is managed in the US. 

One of those updates concerns patient privacy. The security measures to protect it in HIPAA are extensive and carry heavy penalties if broken. Unfortunately, the greatest flaw in any BYOD policy in healthcare is almost always security. 

Here’s an example: How can you guarantee that the medical staff member is always logging out of work applications? This is especially true if they take work home as part of their job. How do you ensure a staff member’s personal device is protected? This is doubly-true if there’s any private data on it.

Another example. Imagine a doctor or nurse snaps a quick picture of a patient’s injury on their smartphone for later reference. Or to send later to another clinician for a second opinion. Even if the patient consented to this act, is the text message software secure? Is the receiving phone or device secure? What happens if either is hacked or stolen?

Are all pictures snapped by the phone automatically backed up to the cloud? Some users may not realize this happens depending on the phone’s settings. Then questions mount: is the cloud service being shared with anyone else? How encrypted is it? And here’s a doozy: what other devices is the cloud service backing up to? And are they secure as well?

Such security questions apply to all healthcare records no matter the media. If the staff member uses note-taking software on their BYOD, any work-related notes on it and, especially, in the cloud, fall under scrutiny by HIPAA. Same with any personal thoughts or case reports recorded into a phone recorder app, which may be backed up to the cloud or other, less secure devices. 

Here’s a grim statistic: according to the 2016 Consumer Security Risks Survey from Kaspersky Labs, only half (53 percent) of mobile users have a security solution like passwords installed on their smartphones. And 20 percent weren’t even aware that mobile malware existed!

Each one of the above scenarios is a potential HIPAA violation, which can cause an individual ﹘ or possibly their employer! ﹘ thousands of dollars in fines and potential jail time. 

Then there are the data breaches. According to an extensive study by the Ponemon Institute released in 2016, it was found that “nearly 90% of healthcare organizations…had a data breach in the past two years.” The researchers then went on to report that “45% had more than five data breaches in the same time period.” Considering that the average cost of a data breach is somewhere upwards of $2 million dollars, the math speaks for itself.

Consider the Liability

Earlier we mentioned possible HIPAA violations if an employee’s BYOD is stolen. Unfortunately, mobile devices get stolen or misplaced all of the time. Unlike dedicated hospital medical tablets, a staff member’s personal smartphone or tablet is going home (or out) with them. And considering that over two million users had their phones stolen back in 2015 (and over three million just simply lost), the odds of losing one’s phone increases dramatically if taken from a workplace.

So who’s responsible for the stolen smartphone (i.e., reporting the theft, investigation, replacement, etc.)? What about any private data on it? These questions can also apply if the phone is dropped and suffers damage. Answers to these questions may escalate to legal teams if the device owner and the healthcare group have conflicting views.   

Can Personal Devices be Managed by IT?

The IT department at a hospital or medical office (HIT) performs a whole host of important jobs. Technicians maintain computer hardware and software, set up and manage the network, and ensure that data is protected and secure, just to name a few. So syncing employee personal devices should be easy, right? 

Sorry, BYOD fans, but the answer is a resounding no. Devices that are officially owned by the healthcare group can all be managed with networking software. This is done so HIT can keep all device software updated to prevent bugs and known security breaches; installed with the latest anti-virus and firewall software; and, finally, work to ensure all these programs are working harmoniously together.

BYOD shatters that smoothly running symphony. Due to liability concerns, the tech may have little to no access to the personal device. And such access is necessary as neglect or misunderstanding can lead to necessary software patches not being installed to lax antivirus maintenance. These and more can open up huge security holes for any device or to the network. 

A SecureEdge Networks report indicated that as it stands, 80 percent of all BYOD devices are completely unmanaged by an IT team. Compare that to the standard practice by HIT of managing all medical tablets and computers in a facility, and the vast security gulf becomes more clear.

So the solution, counter BYOD advocates, is that the individual user — a doctor or nurse — turns into the primary technician for their own device. Unfortunately, many don’t have the time (“Code Blue!”) or aren’t up to the challenge (“I don’t know if my phone has removable batteries or not.”)

BYOD Policies Lack Standardization

Many of the medical tablets and other medical touch screens purchased by a healthcare organization typically come from the same vendor, run the same operating system, and even use the same parts. This standardization allows HIT to choose software and hardware peripherals that work with any device throughout the organization.

Things get dicey with BYOD. Now HIT has to contend with devices from a dozen different manufacturers and with different operating systems (on different versions, with different patches, no less). Hospital apps, messaging services, and secure hospital data vaults, which are all standard and work fine with each other, now have to be compatible with Android, iOS, Windows, and manufacturer-specific tablet operating systems installed in most BYODs. Same with frequently used hospital website portals which must now display correctly in Chrome, Safari, and half a dozen other mobile browsers.

Trying to make all of this software and networks communicate across dozens of different platforms and browsers is no easy task, to put it mildly. Then, when there is a conflict, the IT department is responsible for fixing it. All this puts a huge strain on the tech team.

To BYOD or Not to BYOD

An argument could be made about the advantages of BYOD in the workplace: staff members get to enjoy the familiarity of their own devices while the business place can save on equipment like hospital-provided medical computers and medical tablets. It could be further argued that some of the issues faced in healthcare like security, liability, IT Support, and equipment standards, could all potentially be dealt with in a comprehensive BYOD policy of some sort. 

Make sure it’s worth the risk. In 2016, health insurer Anthem, Inc. paid over $16 million to settle a HIPAA violation in which nearly 80 million people had their electronic medical records exposed publicly. 

“The largest health data breach in U.S. history fully merits the largest HIPAA settlement in history,” Roger Severino, director of the Office of Civil Rights, said in a statement. Anthem would later pay nearly $50 million in additional penalties to settle multi-state investigations.  

Contact Cybernet today to learn more about creating a secure network of purpose-built medical tablets and medical computers in your facility.