Bring-your-own-device or BYOD policies are becoming not just an option, but in many cases necessary because of remote and work-from-home scenarios. BYOD is an increasing priority for IT admins to give employees secure access to the resources they need to do their jobs.
The use of zero-trust architecture is one way to create network security even with a BYOD policy, but there are other things to keep in mind as well. The following are things to know about BYOD policies in general and the cybersecurity implications.
BYOD policies
Under a BYOD IT policy, employees aren’t just permitted but are sometimes encouraged to bring their own devices to access systems and data. Devices can include laptops, smartphones, and tablets.
There are some general options as far as provisioning of access levels when employees use their own devices.
You can offer unlimited access for their personal devices. You can instead allow only access to non-sensitive data and systems on their devices. Another option is to provide access, but with IT control over devices and the fourth option is access, but with the prevention of local data storage on these devices.
There are significant benefits to a BYOD policy for many employers because it can promote productivity and managed risk. Many employees also prefer it. Employees can choose what devices they’re most comfortable using. Due to that comfort, employees are more likely to be productive because they already know how to use them. This might help with buy-in on new technology too.
BYOD policies can cut the costs for your business and alleviate pressure on the IT budget. While there are upsides, there are some potential risks.
Guest post by Dr. Christopher Ray, chief technology officer of Medical Information Records, creator of AnesthesiaOS, a cloud-based EHR solution for anesthesiologists and winner of Dell’s “Advancing Medicine” Healthcare Innovation Challenge.
Mobility and Bring Your Own Device (BYOD) strategies are transforming all aspects of healthcare by enabling physicians, nurses and medical staff to improve the delivery of care while enhancing patient outcomes and safety.
The upsides are impressive: Fast, responsive, agile solutions that streamline healthcare workflows and harness big data to deliver smarter care and more personalized medicine. By enabling providers to use preferred devices and mobile cloud software, mobility can help transcend how electronic medical records (EMR) are captured, accessed and viewed.
When it comes to mobility and BYOD in healthcare, however, security and compliance must go hand-in-hand. In creating AnesthesiaOS, a fully mobile anesthesia information management system (AIMS), we focused on providing greater efficiency in practice management while ensuring the highest levels of safety and integrity for protected health information (PHI).
To that end, creating, achieving and maintaining compliance with both patient privacy and healthcare standards was accomplished by leveraging the following set of comprehensive best practices:
Protect, Identify and Confirm All Regulated Data
The biggest challenge healthcare organizations face today is preventing information from ending up in the wrong hands. Since protecting information is an overarching goal, it’s crucial to identify all regulated data that will be generated on, accessed from, stored on or transmitted by a mobile or BYO device.
Guest post byJason Thomas, CIO and IT director of Green Clinic Health System, and Dell Software solutions user.
Across the healthcare landscape, organizations are expected be in complete compliance with all security and privacy policies on all devices – even personal devices brought in by doctors, nurses, clinicians and administrators.
Being compliant involves many things, including training staff, revising business agreements, modifying policies, staying up-to-date on the newest technologies and updating notices of privacy practices as new regulations go into effect – such as the HIPAA Omnibus Final Rule.
While most of the industry’s current compliance strategies are focused on maintaining privacy and protecting patient data, the more recent addition of bring-your-own-device (BYOD) brings a whole new level of complexity into the compliancy equation.
David Willis, vice president and distinguished analyst at Gartner, recently stated, “BYOD strategies are the most radical change to the economics and the culture of client computing in business in decades.” He added that the benefits of BYOD include creating new mobile workforce opportunities, increasing employee satisfaction and reducing or avoiding costs.
Guest post by John Moynihan, healthcare segment manager, Global Industry Marketing, Siemens Enterprise Communications and Randy Roberts, vice president, mobility portfolio, Siemens Enterprise Communications.
Technology in business today can seem like a zero-sum game. When the employees win, they are able to do whatever it takes to be productive. But doing that tends to tie the hands of IT, keeping them from locking down devices and services well enough to make sure their information is secure. This situation is becoming more common in the medical industry, with clinicians and computing staff often at odds over convenience versus security. Doctors, traditionally reluctant to adopt new technology or take any risks with tried-and-true methods for caring for their patients, have taken to mobility as a duck to water.
Because access to patient information allows them to better do their jobs, doctors in particular are quickly adopting tablets and smartphones. And while they’re not ignorant of the security risks of these devices, particularly the potential for patient information to be lost or stolen, their focus is on caring for their patients. In fact, even if their business doesn’t provide or specifically allow for mobility, they are bringing their own devices into the office.
A recent Ovum study showed that almost 60 percent of employees bring some type of mobile device into the workplace. There are a few names for this, Bring Your Own Device (BYOD), Bring Your Own PC (BYOPC), Bring Your Own Phone (BYOP), User Introduces Unsecure Device onto My Network and Then Loses My Secure Data (UIUDOMNTLMSD).
Alright, so I made that last one up, but that is how most IT managers feel when the discussion is started about BYOD. An end user bringing a device to work is both a gift and a curse for any sized company. We see an increase in productivity but also the increased threat of data being lost or stolen. Having a strong mobile device management (MDM) strategy can help companies reap the benefits of BYOD while limiting the consequences.
Given the increasing popularity of mobile devices that continue to proliferate all areas of our personal and professional lives, clearly personal devices are going to show up in business settings and will be used to disseminate information with internal and external stakeholders.
Even if not an official piece of technology authorized for use in the workplace, their ease of use and availability make them attractive and affordable tools in the professional setting. Though most personal mobile devices not provided by an employer are allowed by employers because organizational leadership believes they lead to more productive employees who are “always on.”
Healthcare is no different. Mobile devices allow physicians to stay connected to their practices, like employees of all other businesses, and where available (as in, practices with systems that support mobile integration) connected devices allow care to be virtually administered from nearly anywhere. In the very least, notes and patient records can be reviewed while the care giver is out of the office or on call giving said care giver a head start on the case should a call come in.
On the other hand, savvy practices are realizing that some patients understand the value of mobile health. Practices are encouraging their employees to interact with patients using portable devices in the care setting. Patients who value mobile technology consider their providers innovative and ahead of the proverbial curve. Sometimes personal mobile devices may be used to accomplish this goal.
However, there are clearly inherent risks involved with blindly and openly accepting the use of personal devices in the workplace that many small businesses simply choose to ignore or overlook. Not because they feel invincible, but most likely because they just don’t know or understand the risks.
Jerry Irvine, CIO of Prescient Solutions — an IT consultancy — points out in a recent editorial for Firmology.com that the most prevalent security risk of mobile devices is that they will be lost or stolen.
According to Irvine, if a smart phone, for example, is stolen, all of the information on it is available to whoever holds it. In most cases, the personal phones don’t have identity-related security benefits to protect the information meaning all personal and business information can be accessed.
As Neil Versel tells in his recent piece, the devices, at some point will go missing. When they do, most affected organizations have little or no plan to prepare for the possibility that the information will be used maliciously. The obvious risk here, in healthcare, is the exposure of patient’s personal health information, cases we hear lots about when they occur.
Offering advice to businesses without a BYOD policy, Irvine provides a nice succinct list of musts that organizations allowing employees to BYOD must consider. Picking some of the high points here, you can see the complete list at the link above.
First off, Irvine suggests requiring and maintaining complex passwords to access the devices.
Next, create a separate encrypted container for business applications and data and don’t allow the same email application to access both personal and business emails.
Set up a registration and provisioning system for the devices that allows for monitoring, remote application installation, locating and wiping of company data. Irvine says, “Use the system to remotely install all company applications as well as mobile device systems updates, patches and security fixes.”
Also, make sure to install antivirus and malicious application scanning solutions keep the devices clean, and disable its ability to access public Wi-Fi networks. Hackers can pirate networks and surf for information though unprotected devices of unsuspecting users. “Allow only known secure networks to include the user’s home network and the company network,” Irvine says.
Perhaps one of the most important steps is to require that all maintenance, updates and disposal of devices be done by the company or authorized vendors who follow specific security requirements. More information than you’d like to think gets swiped while your device is in the shop and you never know.
Finally, don’t allow enterprise data to exist on a personal device, and educate all users on the secure appropriate use of mobile devices. Once you’ve done so, get them to acknowledge and sign an appropriate usage policy.
These steps may not protect you from every incident, but they do create a foundation for what may be an otherwise unscripted and unregulated program. And, putting these steps in place lets your employees know you encourage an environment where initiative and innovation are accepted, and perhaps even rewarded.
