BYOD: It’s not a party invite, but a hospital problem

Providers are increasingly faced with the dilemma of whether to ban all personal electronic devices — such as iPads and BlackBerrys — in patient care areas or allow clinicians to use them. If you let clinicians bring their own devices, how do you let them connect to the network without risking data loss or a violation of the Health Insurance Portability and Accountability Act (HIPAA)?

A bring-your-own-device (BYOD) policy is necessary because clinicians expect to have information at their fingertips all the time, at work just as they do anywhere else, says Tom Murphy, chief marketing officer of Bradford Networks in Concord, NH, which provides BYOD support to healthcare providers. BYOD used to be less common, but now it is inevitable that physicians and staff will bring their personal devices to work, Murphy says.

Trying to stop BYOD would be futile and counterproductive, so managing the risk is the better strategy, he says. “Hospitals are studying what devices are accessing their networks and deciding what information that device and that person should have access to,” Murphy says. “Network access control is about determining the risk profile of the device — whether it is owned by the hospital or by an individual, for instance — and then providing different levels of access.”

A doctor’s iPad, for example, might be allowed a certain level of access to information, Murphy explains, but a nurse logging in to the network using that same device might be allowed less access. Either the doctors or the nurses might be granted deeper access if they log in using a hospital-owned computer on the unit.

Audit use of BYOD, educate staff

The hospital policy on who can access what and with what device must be accompanied by extensive staff education, Murphy says. Auditing and usage reports should be maintained and distributed to key administrators and staff leaders, he says.

Protecting patient information on personal devices is a major concern, and there are frequent reports of laptops and other items with sensitive data being lost or stolen. Encryption of the data is one of the best safeguards against that potential loss of data, but Murphy also suggests the use of remote wipe technology. With remote wipe, a signal can be sent to the lost device that automatically deletes data.

BYOD items also should have a timeout feature that triggers the password protection after a short time of inactivity, Murphy suggests.

“Doctors are driving the BYOD initiative,” Murphy says. “They come to work and say ‘I’m going to use this iPad, so you need to figure out how to keep the information safe.’ IT can leverage some of the policies that they apply to in-house workstations, applying that to mobile devices, but I would recommend that risk management oversee this because there is a lot at stake if the precautions are not adequate.”


• Tom Murphy, Chief Marketing Officer, Bradford Networks, Concord, NH. Telephone: (603) 228-5300. Web: