Creating a BYOD Plan Protects Your Practice and Your Employees
Given the increasing popularity of mobile devices that continue to proliferate all areas of our personal and professional lives, clearly personal devices are going to show up in business settings and will be used to disseminate information with internal and external stakeholders.
Even if not an official piece of technology authorized for use in the workplace, their ease of use and availability make them attractive and affordable tools in the professional setting. Though most personal mobile devices not provided by an employer are allowed by employers because organizational leadership believes they lead to more productive employees who are “always on.”
Healthcare is no different. Mobile devices allow physicians to stay connected to their practices, like employees of all other businesses, and where available (as in, practices with systems that support mobile integration) connected devices allow care to be virtually administered from nearly anywhere. In the very least, notes and patient records can be reviewed while the care giver is out of the office or on call giving said care giver a head start on the case should a call come in.
On the other hand, savvy practices are realizing that some patients understand the value of mobile health. Practices are encouraging their employees to interact with patients using portable devices in the care setting. Patients who value mobile technology consider their providers innovative and ahead of the proverbial curve. Sometimes personal mobile devices may be used to accomplish this goal.
However, there are clearly inherent risks involved with blindly and openly accepting the use of personal devices in the workplace that many small businesses simply choose to ignore or overlook. Not because they feel invincible, but most likely because they just don’t know or understand the risks.
Jerry Irvine, CIO of Prescient Solutions — an IT consultancy — points out in a recent editorial for Firmology.com that the most prevalent security risk of mobile devices is that they will be lost or stolen.
According to Irvine, if a smart phone, for example, is stolen, all of the information on it is available to whoever holds it. In most cases, the personal phones don’t have identity-related security benefits to protect the information meaning all personal and business information can be accessed.
As Neil Versel tells in his recent piece, the devices, at some point will go missing. When they do, most affected organizations have little or no plan to prepare for the possibility that the information will be used maliciously. The obvious risk here, in healthcare, is the exposure of patient’s personal health information, cases we hear lots about when they occur.
Offering advice to businesses without a BYOD policy, Irvine provides a nice succinct list of musts that organizations allowing employees to BYOD must consider. Picking some of the high points here, you can see the complete list at the link above.
- First off, Irvine suggests requiring and maintaining complex passwords to access the devices.
- Next, create a separate encrypted container for business applications and data and don’t allow the same email application to access both personal and business emails.
- Set up a registration and provisioning system for the devices that allows for monitoring, remote application installation, locating and wiping of company data. Irvine says, “Use the system to remotely install all company applications as well as mobile device systems updates, patches and security fixes.”
- Also, make sure to install antivirus and malicious application scanning solutions keep the devices clean, and disable its ability to access public Wi-Fi networks. Hackers can pirate networks and surf for information though unprotected devices of unsuspecting users. “Allow only known secure networks to include the user’s home network and the company network,” Irvine says.
- Perhaps one of the most important steps is to require that all maintenance, updates and disposal of devices be done by the company or authorized vendors who follow specific security requirements. More information than you’d like to think gets swiped while your device is in the shop and you never know.
- Finally, don’t allow enterprise data to exist on a personal device, and educate all users on the secure appropriate use of mobile devices. Once you’ve done so, get them to acknowledge and sign an appropriate usage policy.
These steps may not protect you from every incident, but they do create a foundation for what may be an otherwise unscripted and unregulated program. And, putting these steps in place lets your employees know you encourage an environment where initiative and innovation are accepted, and perhaps even rewarded.