HIPAA Regulatory Alert: BYOD policies address personal issues
Enforcement requires upfront collaboration
Smartphones, laptops, and tablets are everywhere. The convenience of mobile devices has made healthcare documentation, follow up, and communication simpler and faster. Limiting access to electronic protected health information (EPHI) to hospital-owned devices that are encrypted and contain security tools such as “remote wipe” is one way to enhance EPHI security, but the reality is that physicians and employees are using personal devices as well.
“It’s not a surprise that people want to use the phones with which they are most comfortable,” says Steve Wu, attorney and partner at Cooke, Kobrick and Wu in Silicon Valley, CA. In most cases, personal devices such as tablets or smartphones offer more functionality than hospital-provided devices. “People also don’t want to carry two different devices,” he says.
The increasing use of personal devices for work-related communications makes it critical for healthcare organizations to develop Bring Your Own Device (BYOD) policies, says Wu. These policies differ from typical security policies related to the use of mobile devices. “A BYOD policy can be incorporated into other policies or developed as a separate policy, but it needs to address issues related to the device being owned by someone else, not the hospital.”
The first step is to include all areas of the hospital in the policy development, especially the information technology (IT) department, says Wu. “Too many times, the IT department is handed a policy developed by others and told to find a way to implement it,” he says. In the case of mobile devices, the challenge is that people already are using their devices, so policies need to reflect the reality of use and apply security measures that make sense, he says.
“Once representatives from legal, risk management, IT, and the privacy and security officers for the organization have developed a policy together, it is easier to implement,” Wu says. “Some hospitals require employees who have the need to access EPHI to use only hospital-issued devices. Employees who are not accessing EPHI are allowed to use their own devices for general communication that does not involve sharing patient information.”
Organizations that do allow employees to use personal devices to access patient information should require hospital-provided encryption as well as mobile device management software on each device to mitigate EPHI loss, says Wu. Requiring the hospital-provided programs raises some issues when the device is owned by the employee, he points out. “One of the key security measures is software that will wipe all data off the device if it is lost or stolen,” he says. “When someone is using their device for personal as well as work-related activities, this means all family photos or personal communication is also wiped clean.” Making sure physicians and employees understand the ramifications of using their own phones, tablets, or laptops, may make some decide not to use their own device.
If you do allow employees to use their own devices, be clear about whether using a personal device is an expectation. “Employees may ask the hospital to pay for the cost of, or a portion of the cost of the device if they believe they are expected to use the device for work,” says Wu.
The other issue that must be addressed by the IT department is the type of mobile device platforms they want to support in the security program, says Wu. “Because different types of operating systems may require different security solutions, some IT departments may find it more effective to specify which platforms are supported,” he says.
In addition to addressing the issues related to employees’ access with their personal device, be aware that in addition to protecting EPHI, the hospital must protect its own network, says Wu. “When people use their own devices, the network is exposed to ‘shadow IT’ or programs that are downloaded to the mobile device to enhance functionality,” he says. These programs include Dropbox, iCloud, personal email programs, social media sites, and text messaging. “These programs increase the opportunity for malware to compromise the hospital network when connected,” Wu says. Limiting the types of mobile applications that can be downloaded to the device is one way to address the problem, he suggests.
Address employee termination in your BYOD policy as well, recommends Wu. “It’s a simple process to discontinue access for an employee’s password, but a hospital must also be able to delete work-related EPHI information on the personal device as well,” he says. This means having a process in place to delete information before the employee leaves.
Education is an important step to take when implementing a BYOD policy. “Although employees will view the ability to use their own smartphone, laptop, or tablet as convenient, it’s important they understand that the presence of EPHI or hospital-related information on their device lessens their privacy,” he says. “In the case of a breach or a lawsuit, the employee’s device becomes evidence.”
A BYOD policy is important for all healthcare organizations because people are using their personal devices, but physicians and employees need to understand all of the issues, says Wu. “The best security is separate mobile devices: one for personal use and one for work.”
For more information about Bring Your Own Device policies, contact:
• Steve Wu, Partner, Cooke, Kobrick and Wu, 166 Main St., Silicon Valley, CA 94022. Telephone: (650) 917-8045. Email: firstname.lastname@example.org.