BYOD policy for healthcare employees

To meet the stringent privacy requirements of HIPAA, hospitals need strong guidelines for those employees who use their own devices for official uses.

August 11, 2021

Article highlights

Healthcare employees are like most Americans. They already own a smartphone or tablet, and they live and plan much of their lives through those devices.

And most healthcare employees prefer to also use these personal devices for aspects of their work, with younger employees more likely to feel this way.

“According to a just released survey of employees and employers by WorkJam, two-thirds of healthcare workers said they to use their personal mobile devices to access information about scheduling changes and/or corporate training materials.”

This can be a significant benefit to employers. When employees use their personal devices, it can save on cost for the organization, which doesn’t have to purchase as many mobile devices. It also has been found to boost and streamline communication between employees.

Many organizations still don’t have a healthcare BYOD (bring your own device) policy in place, and some of those policies don’t cover important topics such as data usage and authentication.

A BYOD policy for healthcare operations is important for a variety of reasons, but chief among these is the necessity of protecting patient data. This is important for patients, and it also is a requirement as you maintain compliance with strict HIPAA standards.

In this article, we’ll look at the reasons why a healthcare BYOD policy is so important, the standards surrounding protected health information and how it relates to BYOD, and finally we will offer some guidance as you build or implement your own BYOD policy.

Likely, your employees are already using their devices for work. It’s time to be proactive and make sure they have the proper guidance to do so in the right way.

Importance of BYOD policy in healthcare

Studies have found that a majority of healthcare professionals are already using personal devices in a professional capacity. Doctors on average use more than four apps for work purposes. 

This means that the work and operations of your organization almost certainly already exists in some form on the personal devices of your employees. This has some real benefits, which includes secure text messaging. These encrypted systems allow employees to communicate faster and more efficiently, which in turn leads to better overall operations.

But there are significant challenges to allowing BYOD in a healthcare setting.

Imagine that one of your doctors uses their smartphone to access work email, and they receive a message that contains the protected health information of a patient. That device could have a service on it that automatically backs up data. If so, that private patient data would be transmitted out of the hospital’s digital ecosystem and into a third-party cloud storage service, which would be a breach of HIPAA standards and, if discovered, could lead to serious repercussions for your organization.

That is just one of the many ways that your employees would use their personal devices for work purposes. Each of those uses brings with it the potential to lose or incorrectly share information.

Additionally, healthcare is one of the most targeted industries by hackers, who particularly value protected health information. Personal devices are a potential weak point in your IT security framework. Most commonly, smartphones are used in a healthcare setting. But any mobile device, including Internet-of-Things (IoT) devices and wearable technology such as smartwatches create vulnerabilities. This is a weak point, and one that hackers know how to exploit, according to research from the National Institutes of Health.

“Hospitals may have little or no control over the security of their employees’ personal mobile devices, which may contain sensitive organizational data such as patient information. Hospitals also do not have any control over a user’s nonwork-related activity on their BYOD device, as ownership lies with the employee. In addition, health care IoT devices such as personal wearables are growing at an exponential rate, and with each device added to the hospital network, the chance of breach increases. Furthermore, given the highly regulated nature of the health care industry, which enforces strict measures to protect patient information, health care organizations face a heavy task of compliance with health data protection laws. In short, BYOD security is ‘one of the biggest headaches for healthcare IT management.’”

A BYOD healthcare policy helps by creating a set of rules for employees, guiding them in the way that they can and cannot use their personal devices in a professional capacity. This policy will also provide guidance around device security, giving employees some best practices to protect themselves from the threat of hacking attempts.

Protecting patient data

HIPAA guidelines are the strict rules established to maintain patient privacy. This includes all information that could personally identify a patient. Most of this information now exists in digital form, as hospitals increasingly adopt mobile devices for tracking data and managing care.

This already requires significant IT security efforts even before considering the need to safeguard dozens if not hundreds of personal devices. A healthcare BYOD policy must consider all of the ways that patient data goes onto personal devices, and this includes things such as flash drives, which are a primary source of data breaches, according to Healthcare Drive.

“Healthcare organizations can pay dearly when breaches occur. Last year, Children’s Medical Center of Dallas paid $3.2 million to HHS over patient privacy breaches linked to an unencrypted, non-password protected BlackBerry device.”

HIPAA doesn’t require specific solutions for safeguarding mobile devices, but it does require general and appropriate security measures so that patients can expect their data remains private. Any device used in a professional capacity would fall under these guidelines.

The Department of Health and Human Services created a PDF guide to mobile device security, which includes detailed guidance on security risks and potential solutions as it relates to patient privacy.

How to implement a BYOD policy

Now that you understand the importance of this work and you start to consider developing your own BYOD policy in a healthcare setting, there are a few important considerations to make.

To start with, consider reviewing our article BYOD policy best practices, which lays out some general guidance including:

  • Understanding the scope needed for your policy
  • Communicating employees’ rights and responsibilities
  • Specific security features

Then it’s time to drill into the specific needs of your organization.

Mobile Device Management 

Establishing a mobile device management (MDM) system can be a significant help in managing both employer owned and BYOD mobile devices.

These services offer software that goes onto all mobile devices used by your health system and creates a controlled, secure communication channel, which prevents protected health information leaks.

MDM systems also have enhanced authorization and log in security to prevent unauthorized people from accessing hospital systems and information.

Lastly, they allow for the ability to remotely wipe data from lost or stolen devices. This goes a long way in securing and protecting patient data and giving you peace of mind. 

If your organization doesn’t already have an MDM software, consider looking into it. Some policy management solutions, like PowerDMS, let you set a site key via MDM, making it easier for employees with a separate work device to access the application from the field (because the site key is prefilled, and the site is only accessible from that device). 

Put your policies into writing

You may think that your employees already understand what to do with their devices, but you need to write all of your policies down and capture that information so that it can then be shared with employees. 

When writing things down, list out all of your employees who use a personal device, and all of the personal devices that they use on the job.

Next, list all of the potential data that is captured on those devices. This should include all organization data, whether protected or not. Once you have an understanding of that, you can decide whether to limit some of this access.

An additional question is what networks or data storage platforms are accessible on these devices to each employee, and whether adequate permission structures are in place to prevent unauthorized access.

Lastly, you want to write down the security IT personnel who have oversight of your healthcare BYOD policy, and what actions they are authorized to take to protect data, either proactively or reactively in the event of a breach.

Identify security challenges

Take into consideration the security challenges you will face, the likelihood of each, and the severity of each. An NIH report lists some examples, including:

  • Devices that have insufficient security controls
  • Devices lacking any authentication or passcode
  • Malware infections from apps
  • Susceptibility to network-based attacks

Consult other healthcare providers

You can look to other health systems for a BYOD healthcare policy sample, such as this one from the British National Health Service.

There are also template healthcare BYOD policies available online from different sources. Just make sure that any template you consult comes from a reputable source, and also remember that your organization is unique, with a specific structure and treatments. You’ll need to create a healthcare BYOD policy that suits your organization.

Putting policy into action

In creating a healthcare BYOD policy for your organization, remember that a policy is only effective if your employees can understand it and put it into action. You’ll need to write it in a way that is relatable to them and with clear instructions.

Most likely, you already have employees using their personal devices for their work, and that will only become more likely as newer and younger employees are hired. This can be a boon for your operations, but only if you have the structure in place to maintain IT security.

Keep in mind how important this is to your HIPAA compliance and follow the best practices listed above to protect your employees and your organization.

Because hacker attacks on healthcare systems are only expected to increase, this is a step you can take now to close off a common avenue for hackers to exploit.

A strong healthcare BYOD policy will give you peace of mind as you embrace the benefits of mobile technology. And remember, this is just one of many important healthcare policies.

Related Article

Footer CTA Image

How to write effective policies

How to write effective policies

Start writing better policies and procedures for your facility with this free 12-page guide.

Download Free Guide

Schedule a Consultation!

Everything you need to train, equip, and protect your public safety employees in a single system – from the moment they’re hired until they retire. Schedule a consultation to learn how PowerDMS can benefit you.