Healthcare organizations have typically been ahead of the curve when it comes to incorporating new technologies into their organizations. They look for new solutions to reduce costs and improve productivity and security. Technology can in fact save lives.
That’s why a “Bring Your Own Device (BYOD)” approach to mobile devices and technologies and healthcare is seemingly a perfect match. By allowing access to a healthcare organization’s network and data assets using personal devices, BYOD helps improve the productivity of healthcare professionals while lowering technology operation and support costs of the healthcare organization.
So what’s keeping every healthcare organization from enacting full-fledged BYOD programs? Information risk and security, privacy and compliance concerns primarily.
By John Pironti, President of IP Architects & Frank Andrus, CTO of Bradford Networks
Healthcare organizations have typically been ahead of the curve when it comes to incorporating new technologies into their organizations. They look for new solutions to reduce costs and improve productivity and security. Technology can in fact save lives.
That’s why a “Bring Your Own Device (BYOD)” approach to mobile devices and technologies and healthcare is seemingly a perfect match. By allowing access to a healthcare organization’s network and data assets using personal devices, BYOD helps improve the productivity of healthcare professionals while lowering technology operation and support costs of the healthcare organization.
So what’s keeping every healthcare organization from enacting full-fledged BYOD programs? Information risk and security, privacy and compliance concerns primarily.
A large, publicly-accessible campus like a hospital has inherent risks that private companies do not have. A hospital has limited physical security – the public is allowed to access the building at will. To meet HIPAA and other regulations in this open environment, a hospital needs to show that its networks are properly designed and secured, so only authorized users with approved devices can access sensitive patient and healthcare information.
But these requirements can conflict with user expectations of how they can use their personal devices to access and interact with your networks and applications. Ultimately, the benefits of BYOD will outweigh the concerns – but only if concerns about security and privacy are addressed. Hospital staff and IT must reach a mutual understanding of the risks, and the controls needed before allowing users to access the healthcare network, applications and data with their personal devices.
BYOD and HIPAA Compliance
If your organization is considering adopting a BYOD policy, one of the first steps you need to take is to ensure your BYOD policies, standards and supporting capabilities are compliant with industry regulations such as HIPAA as well as state privacy and disclosure laws.
It’s important to note that HIPAA enforcement has increased in recent years. More providers are being fined for non-compliance, data breaches and other privacy and security issues. This concern will grow this year as Meaningful Use Stage 2 rolls out in earnest. Meaningful Use Stage 2 is the second phase of the meaningful use incentive program which governs the use of electronic health record (EHR) systems by hospitals and health care providers, and it provides stringent requirements for protecting patient health information. This means we’ll likely see an increase in audits for HIPAA compliance.
HIPAA has three types of security safeguards for information assets that a BYOD program must address to be in compliance:
-
Physical Safeguards: Ensuring the appropriate physical handling and existence and use of appropriate controls on each device from its first network access through termination of that access.
-
Administrative Safeguards: Creating the right policies, processes, procedures and education about BYOD.
-
For example, are your policies clearly articulated and understandable? Are you providing the proper ongoing security education and awareness to employees about using their personal devices?
-
Have you accounted for the unique incident response processes and procedures if there is a security breach that involves a personal device as part of your overall incident response strategy and plan?
-
Technical Safeguards: Policies and procedures are needed – but they often need to be complimented by a comprehensive technology backbone to support these administrative requirements. It is important to identify the technical controls needed to support the security policies for access, audit, integrity and the transmission of healthcare data?
How your organization addresses these HIPAA issues and other risk and security considerations is dependent on your technology environment, the political atmosphere in the organization, and the ultimate goal of the BYOD program itself. The reality is there is no one way to implement a HIPAA compliant or comprehensively secure BYOD strategy – but there are some critical considerations that should go into the development of a strategy that works for your organization.
Here are five factors that need to be considered when developing a HIPAA compliant BYOD strategy.
-
Users own their devices, but you control the network
As the saying goes, ownership is 9/10ths of the law – this applies to employee-owned devices as well. Ultimately, the user has the authority and ability to modify their device configuration, applications and controls as they see fit. But this does not mean the organization is at their mercy – you do not have to let any user onto the network if their device is a risk. If you do allow the device on the network, you also do not have to allow that device to full access to your environment. The level of access should be directly related to your level of comfort about the security of the device and the user who is operating it.
Consistent communication and clear expectations is the key to success in this situation. Define and communicate the technical controls and behaviors that must be met to allow BYOD usage. Remember that it’s their device, but it’s your network. Clearly define what is acceptable and what is not acceptable to ensure confidential information and patient data privacy, integrity and security. This can include ensuring password protection exists on the devices, only communicating data over encrypted connections, ensuring volume encryption enabled on all of the device storage elements, and ensuring that devices are being used in line with the manufactures expectations (i.e. do not allow jail broken devices within your environment)
This also needs to be enforced from a technical perspective, every time a device connects to the healthcare organization’s network. Network Access Control (NAC) can automatically verify a device’s security posture prior to granting network access. If a device does not meet the required standards, the user can be notified and provided the opportunity to update the device to meet the required control objectives and security standards. Remember, it only takes a few seconds of connectivity for a compromised device to bring down a network.
-
Limit Access of Personal Devices Compared to Issued Devices
BYOD does not have to mean that every device gets the same access levels to sensitive information. As a best practice, only corporate issued devices should be able to access highly sensitive information that requires strict control and auditability. This access should be granted and enforced in accordance with role-based access policies. Examples include doctors accessing patient records or HR staff accessing personnel files – you may not want that the type of information available in a BYOD environment
Personal devices should be limited to lower risk capabilities when possible. This limits exposure and risk, while enabling employees to still be productive in accessing email, user directories, messaging platforms, controlled healthcare applications, select data stores, etc.
-
Certify Mobile Devices and Capabilities for Use
BYOD is often a trade-off between the needs of employees and those of the organization. The trade-off here is that only evaluated and approved mobile devices, configurations, and applications should be allowed to access internal resources. To provide as much flexibility as possible, multiple configurations and typical use cases of each device should be evaluated. This avoids a one-case fits all approach to network access, which can lead to poor policy – one that’s either too restrictive or too open, putting the organization at risk.
As part of the policy development, clearly articulate what mobile devices and applications are NOT allowed in the environment. Explain the reasoning behind it as well, using straightforward language and backed up with credible data if at all possible.
The nature of today’s mobile device is that we often upgrade, change platforms and get new device every few years (some of us more frequently). Help your employees by providing straightforward and pragmatics guidelines, so when they’re choosing their next device, they are doing so with the ability to meet your compliance guidelines in mind. You also need to continually evaluate new or updated devices, applications, and operating systems to make sure they continue to fall within the risk appetitive and security posture of your environment.
-
Update Existing Policies and Standards to Reflect BYOD
Employee policies and standards need to reflect the changing network dynamic. Pre-existing policies guiding technology and network usage at work need to be updated to incorporate BYOD.
A good BYOD policy should start by identifying control objectives and requirements that are critical to operating a BYOD model. Where employees may have had an expectation of complete privacy with their personal devices in the past, connecting them to the healthcare network and access to patient and healthcare data changes this relationship. Highlight the right of the organization to examine and audit personal devices with probable cause and the process by which this will be established. Also, add language that clearly outlines the right to require, install, update, and maintain security controls on the devices, including applications.
Most importantly – clearly outline that device management is not restricted to the healthcare network. Because these devices are now used to access sensitive information, organizations need to maintain the ability to enact control of the device (for instance, remote wiping), no matter the physical location or the network it Is currently utilizing.
-
Educate on Management Capabilities and Impacts
Employees are typically responsible and want to do the right thing. So treat them like adults and level with them – provide visibility and insight into exactly what the policies are, what technical controls you will have on their devices and why this has to happen.
It’s OK to let them know that their device could be the pathway to a major HIPAA violation, data breach or other security incident. User activity (either malicious or unknowingly being leveraged by an advisory) is the primary cause of almost all data breaches – losing a device, clicking on malware infested websites, phishing links, etc… By providing a BYOD environment, mentally you are sharing responsibility for securing against these threats.
One of the biggest concerns most users have in BYOD is that Big Brother is watching. So be open about why you’re doing what you are doing, what the risks are, what the benefits are and how you can find a common ground that works for both you and your users. If you are transparent with this information to they are less likely to undertake covert activities to try and hide their actions and activities from you.
Also note that if you are able to provide security education and awareness that provides users with beneficial outcomes in their personal activities they are more likely to embrace and adopt those same capabilities in their work activities. Focusing on these kinds of capabilities and controls first will help create a risk-conscious and security-aware culture.
Final Thoughts
BYOD can offer healthcare tremendous benefits, both financially and operationally to both users and the organizations they are interacting with. Finding the balance between user rights and organizational security is critical in building a BYOD policy that works both for the user and the organization. Once that policy and its supporting control objectives are defined, you can implement appropriate controls to ensure it is being properly and consistently enforced while also providing benefits to your users.