BYOD: Beware of Your Own Device—and the People Who Carry Them

Mobile devices allow you to do amazing things: play Candy Crush Saga in a boring meeting, download your alma mater’s fight song, get the calorie count of the Costco-sized pizza you bought. They also have the potential to do amazing damage to sensitive patient information—especially if you don’t take care to secure your phone or tablet.

The Ponemon Institute’s Fourth Annual Benchmark Study on Patient Privacy and Data Security found that 88 percent of organizations allow their workforce to use their own smartphones or tablet to connect to networks or enterprise systems, such as email. Yet more than half of organizations are not confident that these devices are secure. Small wonder, then, that the Ponemon study found unsecured mobile devices to be a top threat, the Wall Street Journal reported.

This lack of confidence fails to surprise me, since few organizations mandate common-sense security precautions when it comes to bring your own devices:

• Only 23 percent require anti-virus/anti-malware software on mobile devices before connecting.
• Only 22 percent scan these devices for viruses and malware prior to connection.
• Only 14 percent scan devices and remove mobile apps that present a security threat before connecting.

A key word in these statistics troubles me: prior or before.Proactive security measures that, if followed, could avoid exponentially more cost and headache later on. It’s a lot easier to stamp out a campfire than it is to battle a forest fire.

Workforce Negligence and BYOD (Bring Your Own Device): A Flame to Tinder

An article in SearchHeatlhIT, “BYOD in healthcare brings new mobile device security strategies,” quotes the CIO of NCH Healthcare System in Naples, Fla., “…all of our processes will be electronic. It is part of our journey to the digital hospital. There will be no more paper.” This is a bold statement, given that a mere 100 of 650 physicians affiliated with the two NCH-managed hospitals are employees.

The Ponemon study connected the concerns over employee negligence and BYOD. Seventy-five percent of organizations in the Ponemon study view employee negligence as their biggest security risk. What about the risk of non-employees who may access sensitive patient data with their insecure mobile devices?

Dousing the Risk of BYOD

The SearchHealthIT article goes on to discuss Beth Israel Deaconess Medical Center in Boston, an organization tightening its security controls over mobile devices to better comply with changing regulations. Some of these controls, listed below, are among the same ones that security experts recommend, the article says.

• Implement a governance policy that “outlines the rules and responsibilities around data access, device use and employee behavior."
• Communicate. The goal is to raise employee awareness about the consequences of their technology-related actions.
• Enable IT to implement security-related technologies and policies and procedures, such as onboarding, network access control, the use of mobile device management apps, encryption, desktop virtualization, and remote wiping.

Note that while many of these BYOD best practices center on technology, much of the responsibility rests with the people who carry these devices—employees and non-employees alike. As this article points out, employee awareness is the first line of defense. They must understand that every time they open an app or access their e-mail, they may be giving hackers, malware, and viruses access to the most vulnerable of information. At the same time, decision-makers in healthcare organizations must choose to implement policies that would secure these devices.

Bottom line: Mobile devices are as secure or insecure as the security precautions that organizations choose to require for them.