Despite concerns over the use of personal devices in the healthcare industry, “bring your own device” (BYOD) is becoming “business as usual.” Numerous studies and surveys demonstrate that physicians, as well as others working in the healthcare industry, routinely use their personal mobile devices for business. In many respects, it’s a good thing.
Time-crunched physicians find that using their personal mobile devices allows them to consolidate many of the tasks integral to their personal lives and professional responsibilities. Among the benefits are convenience and increased productivity. BYOD also provides benefits to the healthcare organizations that embrace it, including a reduction in overhead costs because the organization does not have to provide mobile devices to its roster of physicians.
Nonetheless, there are legitimate fears about the use of personal devices in the healthcare industry, particularly among physicians. Not the least of the concerns is that physicians are among those most likely to access data classified as “protected health information” by the U.S. Department of Health and Human Services (HHS). That data is subject to the requirements of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Failure to meet those requirements can result in civil and criminal penalties.
It’s not that physicians themselves would intentionally violate HIPAA requirements, or do anything criminal with PHI. As is the case with anyone using a mobile device, it’s simply easy for a physician to misplace a cell phone or tablet simply by leaving it at a restaurant or someplace else, or to have it stolen. Once that device is in the wrong hands, restricted data is at risk.
The fact is that PHI is a hot commodity among cyber-thieves. While it’s been reported that credit cards sell for a dollar or less on the black market, personal health credentials command as much as $10 per patient. PHI includes important identification, financial and medical information which, together, make it easy for criminals to steal identities, open accounts and file false medical claims.
Unfortunately, there’s no single solution for protecting PHI when personal devices are used to access it. However, the implementation of well-formulated BYOD policies and certain technologies can help reduce BYOD risks. These measures are more likely to be successful if they are accompanied by comprehensive, repeated physician-specific training and reinforcement.
Understanding the Risks Associated with Mobile Device Support
While it might be more secure to provide physicians with corporate-owned devices, that’s not always practical in terms of cost or in terms of the physicians’ efficiencies and agreement to comply. That means security policies need to be in place to provide guidance for the use of personal devices. To develop those policies, and the training needed to help physicians abide by them, the first step is to understand the risks associated with using personal devices to access what will very often be considered PHI.
- Loss of some control over data across the organization, which would be minimized with company-purchased devices but is often cost-prohibitive.
- Data breaches due to employee negligence and lost or stolen devices. For example, it’s easy for a physician to leave a device unattended while logged in, allowing someone to steal or otherwise access the device and protected data.
- Exposure of data to unauthorized third parties as a result of physicians possibly sharing their personal mobile devices with family members or friends.
- Physicians inadvertently downloading unapproved apps or programs, which may be accompanied by malware or viruses.
- Physicians opening emails from unverified senders, thus allowing malware or viruses to enter your organization’s network.
- Physicians using social media sites for personal reasons at work, allowing cyber-criminals to introduce malware on shortened links and exploit encrypted traffic to deliver payloads.
- Physicians viewing adult content on work devices (it happens), again allowing cyber-criminals to introduce malware on shortened links and exploit encrypted traffic to deliver payloads.
- Violation of HIPAA, Gramm Leach Bliley Act and other security regulations due to all of the above, resulting in fines, damage to reputation, and other consequences.
Physician-specific BYOD policies also need to take into account the full range of potential risks and what can be done to help avoid/reduce them. That includes specific consideration of the needs and daily routines of physicians. For example, do physicians need to access mission-critical business and clinical applications? Do they need this access when they are not on site, or after hours? Do they need offline access to the data? What liabilities, if any, will your healthcare organization face if your physicians choose to use personal healthcare applications for reference, dosing, or other calculations?
BYOD Security Policy
Once the security risks associated with BYOD are identified and physician needs and routines are understood, policy formulation can start. The following are some of the topics and questions to take into consideration:
- Have all the personally owned devices that are being used by physicians in your organization been identified? How will you or do you keep track of them?
- Are physicians required to “register” their devices? Requiring registration of physician-owned mobile devices used within your organization for work purposes will allow you to better control who has access to your network or system and will help keep unauthorized persons from accessing them. Registering mobile devices may also help your organization or police find lost or stolen mobile devices.
- Can physicians connect to your organization’s internal network or system with their personally owned mobile devices just on-site or is remote access allowed?
- If remote access will be allowed, has your organization assigned responsibility and established processes and schedules to check all mobile devices to find out if selected security/configuration settings are enabled?
- How is remote access enabled? Do you use VPN? Will two-factor authentication be required instead of a single password?
- Will you use mobile device management (MDM) technology to configure, monitor, secure and control mobile devices remotely? How about remote wiping and remote disabling in the case of lost or stolen devices?
- Will you make use of cloud technologies and “desktop as a service” technologies?
- Will there be a regular review and audit of physicians’ devices?
- Will your organization restrict how physicians can use their mobile devices for work purposes or when accessing your organization’s internal systems or data?
- Will or can physicians use mobile devices to access specific internal networks or systems, such as an EHR?
- Will your organization allow texting or emailing of health information? What security protocols will you put in place?
- Will your organization institute standard configuration and technical controls on all mobile devices used to access internal networks or systems, such as an EHR?
- Are you encrypting all data, at rest and in transit?
- Are there restrictions on the type of information physicians can store on mobile devices? If so, where and for how long should the data be stored?
- How will backups be handled?
- Are physicians allowed to download mobile applications to mobile devices? If so, what type(s) of applications are approved?
- Does your organization have written procedures for addressing misuse of mobile devices?
- Does your organization have procedures to wipe or disable a mobile device that is lost or stolen?
- Does your organization have standard procedures for eliminating access to internal systems and data by physicians when their employment or association with your organization ends?
- How will your organization train physicians on BYOD policies and procedures? Do you already have training in place? Who is responsible for it? How often is it updated?
- How will your organization hold physicians accountable for non-compliance with BYOD policies?
Keep in mind that once BYOD policies are established, they’ll need to be continually reviewed and updated. Technology changes rapidly, and cyber thieves seem able to take advantage of the changes and exploit any inherent weaknesses.
Physician-Specific BYOD Security Training
The most stringent BYOD policies will not protect health information unless physicians are trained to follow and enforce them. Security awareness is a byproduct of training, and both must be an ongoing part of each physician’s work environment.
Successful physician-specific BYOD security training should cover both the technological and behavioral sides. The most effective training will be multi-faceted. Keep in mind that physicians are busy, so training needs to be quick, flexible and unobtrusive. If possible, provide flexible training options and ask for input.
A number of third-party companies offer BYOD security training; many either provide healthcare industry-specific options or can create customized programs for physicians and other healthcare industry employees. Whether you go with a third-party provider or prefer to create your own in-house program, consider including the following components:
- A review of your institution’s BYOD policy, with special emphasis on anything specific to physicians. This can be as simple as a handout or a full-blown PowerPoint presentation, depending on the complexity and content of the policies. Include an element that helps ensure full understanding. This can easily be accommodated by providing a policy overview online and requiring sign-off on each element before the participant is allowed to proceed, or through the use of an online quiz that includes instant feedback.
- A review of potential risks when using personal devices in the healthcare industry, as well as the consequences.
- A review of BYOD security best practices, such as the use of two-factor authentication, secured Wi-Fi networks, secure text messaging, and encryption. Take advantage of government-sponsored resources available at https://www.healthit.gov/providers-professionals/your-mobile-device-and-health-information-privacy-and-security.
- A discussion of the various ways physicians access data and their reasons for doing so, as well as the various scenarios in which data access occurs. Use “role playing,” interactive training modules, character-driven training games, or other testing mechanisms to allow physicians to practice “safe” behaviors when accessing data or simply using their device for personal reasons. You can also use the “gamified” training module available from the Office of the National Coordinator for Health Information Technology’s (ONC) Office of the Chief Privacy Officer (OCPO) at https://www.healthit.gov/providers-professionals/privacy-security-training-games.
- One-on-one sessions with physicians to help ensure that policies cover and work with each specific physician’s daily routine. While this is a time-intensive exercise, it helps ensure that more potential security risks are accounted for and helps physicians better understand the security risks and consequences inherent in their specific work.
- A review of protocols for using/downloading apps. Is there a list of “approved” apps? Is there a procedure for getting IT to review and provide access to “desired” apps? Make sure this information is made available.
- HIPAA-specific training. Make sure physicians understand their roles and responsibilities in meeting HIPAA requirements. There are a number of helpful, government-sponsored resources at: https://www.cms.gov/ and http://www.hhs.gov/hipaa/.
- A review of topics such as the safe use of connectivity features like Wi-Fi, GPS, and Bluetooth, and keeping data, network, and equipment safe when working outside the office.
- Anti-phishing training to help identify and avoid manipulative content, malicious and disguised links, dangerous attachments, inappropriate data requests, and other threats. Take advantage of resources available from organizations such as SecurityIQ at https://securityiq.infosecinstitute.com/.
- Offers for downloading free apps or software that would appeal to physicians to test and track their behaviors. Provide feedback so physicians are alerted to the potential consequences of seemingly innocent actions.
BYOD privacy and security awareness training, as well your organization’s BYOD policies, should be constantly updated to reflect any changes in the security or regulatory environment, as well as changes in physicians’ routines and even patients’ behaviors. Remember, advances in technologies are also changing patients’ expectations of their interactions with their physicians. Those expectations, in turn, affect how physicians use technology—including their mobile devices—to provide patients with care and information.
Perhaps most important, keep in mind that training is not a one-time thing. Follow-up sessions with physicians are a must, as is constant reinforcement. Use wall posters, email campaigns and other tactics to keep BYOD security awareness top of mind, and to help increase awareness of existing and emerging risks. Include articles on BYOD security in all organizational publications directed towards physicians. Provide easy mechanisms for physicians to report phishing schemes and other risks, and to provide feedback on the effectiveness of training programs.
Cyber-criminals are relentless, and the BYOD trend makes any mobile device user a target. The risks and consequences are extremely high for physicians who may (and often must) access PHI. Physician-specific BYOD security training can help equip physicians to use their devices safely and minimize potential risks. That training entails many components and considerations, but the resources to help are out there.