Bring Your Own Device a Mixed Bag for Health Care
As the consumerization of technology marches on, industry research estimates that as many as 90 percent of employees already use personal devices for work--without permission. In some ways, the trend is a no-brainer: Organizations get a break on the expense of providing a smartphone or tablet for an employee’s professional use. In addition, they may benefit from additional off-hours productivity as employees integrate their personal and business online activities on a single device, using a consistent interface. And the bring your own device trend offers employees a little more flexibility about how they respond to professional tasks.
On the flip side, BYOD carries risks. How does an organization protect itself against data loss or breaches when they don’t control the device? Those concerns are particularly acute in health care, where most data being handled is confidential and numerous legal and financial penalties are applicable when protected health information in exposed.
So far there have been relatively few incidents of smartphone or tablet data breaches that have resulted in exposure of patient information--most health data breaches have resulted from stolen or lost laptops. But smartphones and tablets will continue to proliferate and the risks associated with the devices—and a BYOD policy--will escalate.
New software vulnerabilities frequently are cropping up. Last summer, for example, Germany's Federal Office for Information Security warned about a critical vulnerability in the way iOS devices (the iPad, iPhone and iPod touch) deal with PDF files. In another example, earlier this month, an SMS function in the iPhone was found to have bugs, sending private messages to unintended recipients. And although both Apple and Android devices have some resident data protection capabilities, data security experts say that some of the protections are weak.
It would be impossible for any organization to anticipate all of the security liabilities associated with BYOD, but there are steps that health organizations can take to limit their liability. A major step is to create a well-thought out, documented BYOD policy. In addition to that, health care organizations need to set up multiple lines of defense and monitor the strength of those lines on a regular basis.
Sixty percent of network breaches occur when a device is lost or stolen. One of the best policies to avoid a data breach is to physically secure a device so it can’t be lost and stolen. Physical security is the “first line” of defense and is recommended for all devices in health care organizations that deal with protected health information. Even highly mobile devices like smartphones and tablets can be physically secured in a logical way--for example by using electronic tethers that sound an alarm when a smartphone is left behind, or using slim-profile locking cases that can easily secure a tablet to a fixed device -- so their portability is not compromised.
Confirm that a “second line” of defense is enabled by ensuring that employees set auto-locking functions on their laptops, smartphones and tablets. Apply industry-standard encryption for all data transactions. Require that users have up-to-date antivirus and anti-malware tools on their devices. Do not allow “jailbreaking,”--a technique some people use to allow them to download apps that are not approved by Apple. This could expose the organization’s network to malware because the applications have not been screened. Create and require users to initiate two-factor authentication for their devices to access data the network.
Manage the “third line” of defense at the network level by implementing industry-standard firewalls, data protection and backup. Enroll all devices that will access the network and track data as it is transmitted. Set up virtual desktops so sensitive data does not reside on personal devices.
Define the appropriate balance between the benefit and risks of BYOD for each particular organization. Create tailored mobile access roles and definitions for what kinds of data people can access remotely using their personal devices. In addition, develop a process for communicating the policy to all employees, including the rationale for the policy, educating employees about the risks, and informing them about policy enforcement.
Audit policies need to be created and regular audits performed (quarterly audits are best). Technology adoption changes quickly, and going too long between audits can create unnecessary security leaks and risk to the organization.
Finally, plan for failure: What is the process for an employee to report a lost device? What steps will be required in the event of a data breach? How will sensitive data be wiped from personal devices if the device is lost or the employee leaves?