TMCnet News

Implementing an Effective BYOD Protocol [Healthcare Informatics]
[October 29, 2014]

Implementing an Effective BYOD Protocol [Healthcare Informatics]


(Healthcare Informatics Via Acquire Media NewsEdge) Healthcare technology lawyer Melissa Markey explains the benefits and perils of BYOD by Gabriel perna Four of the scariest letters in the English language for health IT executives are B-Y-O-D. This, of course, is short for "bring your own device." While use of personal smartphones and tablets has increased in healthcare settings, unease from CIOs and IT leaders has not gone away. According to the Ponemon Institute's Fourth Annual Benchmark Study on Patient Privacy and Data Security, 88 percent of organizations allow employees and medical staff to connect personal devices to their organization's networks. However, the same survey also revealed more than half of organizations are not confident that the personally owned mobile devices are secure.



Studies have shown that when BYOD works, it can increase efficiency and productivity, improve physician morale, and decrease costs for infrastructure. However, many CIOs worry that the privacy implications and risks are too high to justify.

Can providers and IT leaders find themselves in a win-win situation? Yes, says Melissa Markey, a healthcare technology lawyer at the Indianapolis-based Hall, Render, Killian, Heath, & Lyman. Markey advises providers on how technology can be a benefit while presenting risks to the patient, and how to protect the patient from those risks. She recently spoke with Healthcare Informatics Senior Editor, Gabriel Perna on the risks and benefits of BYOD as well as implementing an effective BYOD protocol that will leave providers happy and IT executives at ease. Below are excerpts from the interview.


PROVIDER CONCERNS ON BYOD Healthcare Informatics: As a healthcare technology lawyer, when did you start getting inquiries on BYOD policy? Melissa Markey: A long time ago, doctors had pagers on their hips. Then it became two pagers. It eventually became inconvenient to keep track of multiple devices, and as phones became smarter and tablets became more capable, and applications became richer in functionality, [providers] started saying, 'Why do I have to have multiple devices? Why can't I just use one device for everything I need and make my life simpler?' The CIOs recognized that it was necessary to address that desire for two reasons. First, you don't want rogue devices on your network. Number two, the reason we exist is to care for patients. If we can take an innovation and use it in a way that makes it more efficient for healthcare providers to take care of patients, that's a win-win situation. That's what we're trying to get to. I started talking to clients more and more, who were asking, 'How do we approach personal devices in a way that we can make it safer, make information more readily available to our providers to let them take better care of patients, while making sure that our network is secure and that patient information is secure.' HCI: So you've worked with hospitals and healthcare facilities on this directly? Markey: There are two different camps when we get the initial call. The first camp: 'Tell me how I can say no.' The other camp: 'Tell me how I can do this safely.' Typically, when I get a 'Tell me how I can say no' call, I try let them know that saying no is not going to be effective. It's sort of like telling a teenager they can't hang out with their friends. It's not going to work. What can be effective is coming up with reasonable, rational policies, educating people about why you need to have those policies and why they're not random policies, and helping them recognize the reason is patient-care focused. If you help your providers understand what you're doing, they might not be thrilled about it but they tend to be willing to be compliant. If you say, 'This is the policy, you have to comply with it, and we won't talk about it.' That's not an effective policy.

HCI: Is security the only reason, or is it just the main reason these guys are saying, 'Tell me how I can say no?' Markey: The security aspect is an important thing to focus on. I don't think it's the only reason. There are a lot of operational issues that go into a BYOD program. Because instead of saying, 'We're going to use this mobile phone and I've got someone training on this phone,' you need to train the help desk to deal with 12 models of phone, four different operating systems, and on top of everything else, 492 different weird applications that people have, because it's their phone. A lot of apps are going to mess with your phone and functionality, when your phone won't work and your Outlook calendar won't sync, and they call the help desk and say, 'None of my calendar is coming through,' your poor help desk has to figure it out. There are big operational considerations and it does make the IT department's job harder. It's understandable to say, 'Tell me I can tell them no,' but it's just not the right thing to do.

WHAT ARE THE SECURITY RISKS? HCI: In terms of security risks, what can those lead to if not properly monitored? Markey: To be perfectly honest, there are several components of a security risk. The biggest security risk is that these devices get lost. People take them out of their pockets and put them on the table at lunch, and they walk away and leave them. They leave them at the bathroom. They leave them in taxis. They leave them all over the place. They get lost. We then have a phone wandering around with protected health information (PHI) on it and we can't say for certainty that there's no breach. That's a big problem.

Another problem is that while you may have information encrypted, it's not always encrypted. For example, text messages are freely visible a lot of times on the telephone. It's easy for anyone to eavesdrop. Those apps that everyone loves are literal information gathering devices. They take so much information and nobody knows it because no one bothers to read to the privacy note. You don't know what's happening on the back end and some of them are bad apps, they sometimes provide a route into the hospital network. That type of security concern is out there.

The other concern is you have data stored on your personal device that is personal data, and now you have corporate data on that device. It leads to the mixing of personal and business, which can lead to other concerns. You end up blurring those lines and there are a host of legal considerations that go along with that. For example, if you're an hourly worker and have a BYOD program, and work shift ends and you go home, and you start reading emails at home, are you logging in for overtime? Do you need to be paid overtime? That can raise labor standards issues. If you have data on your phone that becomes the issue of litigation in the future, and you have to put litigation hold on that data, it may mean we need to take custody of that phone for a little bit. There are whole host of legal issues. You need to be thorough when putting together a BYOD policy.

THE BASIS FOR A SOUND BYOD POLICY HCI: What is involved in an effective BYOD protocol? Markey: 1 put it into a very generally who, what, when, where, why, and how' format.

Who needs to use a BYOD device? Not everyone should be able to access company data on their personal device. You should need a reason to need access to company data when you're not sitting at a static location. Also, you need to identify who has the authority to approve a BYOD request and in the policy, identify who owns the data.

What kind of data can go on that device? What kinds of applications can on the device? Are you going to set up an approved app store that shows you've vetted certain apps? Or are you going to let folks download any app they want and deal with the problems later? What controls are needed on device? Are you going to require mobile device management software? How complex are you going to require passwords to be? How long before the screen lock comes on? All of those types of technological/security control questions need to be addressed.

You have to answer what devices are going to be ok. Even though you are going with a BYOD policy, there may be decisions that you are only going to approve devices you are familiar with. There may be limits on brand specifications, operating systems. Whatever the technology guys decide is reasonable. Then you have to think about what your service policy is going to be. Is your IT help desk going to fix phones when they are not working? If they're not going to fix phones, this means the phones are going to the carrier, and what are the implications if you've got confidential data on the phone? Why is documenting why users will be given access to data on that device. Why access can be terminated and the details behind the reasoning allowing the use of the BYOD.

When talks about when is data access is granted, when it's removed. When is also when was the device lost and when do you have to report the device is lost? Where is where the devices can be used and where they can't be used? And are there care areas where special rules have to be followed? For example, there are a couple of cool apps for tablets that the orthopedic surgeons and oncology surgeons like to use that overlay the imaging modalities over each other. If you are taking your iPad into the operating room (OR), it's probably not very clean by OR standards. There needs to be special rules for taking BYOD into a special care area, so you're not contaminating it.

How is how do you get permission to use the device? How is mobile device management applied to the device? How is the device wipe administered? How do you get the message from HR that someone is being terminated so we can decommission them out of the BYOD program? How is the mechanics of how this actually works.

HCI: What type of data do you recommend using on mobile devices? Markey: My preferred approach is to have the data not residing on the device. I'd rather the data be on a server and transmitted on the device. You can view it on the device and save it on a server. We lose these devices all of the time. If it's viewed on the device and saved on the server, I have fewer concerns. They are not completely gone but fewer. One thing we need to be really careful about is our photographs. Sometimes we have caregivers who take photographs of wounds, injuries, bruises, those kinds of things. Then they forget that they have them on their phone. Then you'll have a family members pick it up and see the patient photos. Obviously, that's a bad thing. Maybe you should think about using a special camera for photographs, so it doesn't accidentally get uploaded to iCloud.

HCI: Overall, do the security risks outweigh the benefits of mobile devices or vice versa? Markey: If you've got a good mobile device policy, I think patient care can be improved by mobile devices. I think we have to use them smartly. If we don't think about what we're doing and we're not smart about the way we use mobile devices, it could cause harm. You have to be on guard against that.

For example, I know healthcare providers like to text information back and forth. There may be times where that is an effective way to communicate, although Joint Commission rules say you cannot text orders. But if you ever want a divot picture of the risks of that kind of communication, just Google autocorrect and you will see how often autocorrect distorts what you are trying to text. So if you are going to do it, you have to double check what you just typed and make sure when you read something, it makes sense. Make sure you're in the moment and paying attention. You can't use mobile devices when your attention is divided in healthcare. It's easy to have errors. If you've got PHI on your phone, you have to be extremely vigilant that you know where your phone is at all times.

HCI: Do you have anything else to add on BYOD? Markey: Just that to have a strong BYOD policy and program, it's really important to involve a lot of different people. ? NOT EVERYONE SHOULD BE ABLE TO ACCESS COMPANY DATA ON THEIR PERSONAL DEVICE. YOU SHOULD NEED A REASON TO NEED ACCESS TO COMPANY DATA WHEN YOU'RE NOT SITTING AT A STATIC LOCATION. -meussa market WHAT CAN BE EFFECTIVE IS COMING UP WITH REASONABLE, RATIONAL POLICIES, EDUCATING PEOPLE ABOUT WHY YOU NEED TO HAVE THOSE POLICIES AND WHY THEY'RE NOT RANDOM POLICIES, AND HELPING THEM RECOGNIZE THE REASON IS PATIENT-CARE FOCUSED, -kieussa market IF WE DON'T THINK ABOUT WHAT WE'RE DOING AND WE'RE NOT SMART ABOUT THE WAY WE USE MOBILE DEVICES, IT COULD CAUSE HARM. YOU HAVE TO BE ON GUARD AGAINST THAT. -MEUSSA MARKEY ONE THING WE NEED TO BE REALLY CAREFUL ABOUT IS OUR PHOTOGRAPHS. SOMETIMES WE HAVE CAREGIVERS WHO TAKE PHOTOGRAPHS OF WOUNDS, INJURIES, BRUISES, THOSE KINOS OF THINGS. THEN THEY FORGET THAT THEY HAVE THEM ON THEIR PHONE. -meussa market (c) 2014 Vendome Group LLC

[ Back To TMCnet.com's Homepage ]