Healthcare Organizations Today Must Address BYOD and Its Challenges
Like it or not, BYOD (bring your own device) is a topic that’s not going away. Some consider it a fad, a conversation piece and a topic passé. But, the same was said of the personal computer, the Internet and now, mobile devices in the workplace.
I’ve spent a lot of time recently focused on the work of Gartner, and today is no different. The analyst firm produces some great content and provide some great thought leadership advice and BYOD is no different. Healthcare leaders would do themselves a favor to take note of the following tips from the firm (specifically, Stephen Kleynhans, in this case).
Organizations today must address their BYOD challenges. They are everywhere, in every organization. Users continually and ever more so utilize their own devices, and the trend continues to grow. Doing so, so the argument goes, is that employees’ own devices boost productivity. It’s an argument that’s been said over and over thousands of times.
According to Gartner, users and organizations need to understand BYOD issues and challenges including “security risks from data leakage; financial risks from device cost or support/network contracts; and, compromised compliance/certifications from using sensitive services (location services, GPS etc.). Here is what Gartner feels are the key issues in BYOD adoption in this context.”
Simply put, as we’ve previously discussed here, BYOD is said to help employees perform their roles more efficiently, which is particularly the case for home health professionals and those on call. Additionally, BYOD is supposed to limit tech budgets for organizations, and in large health enterprises this makes a great deal of sense. Essentially, the burden for technology and upgrading it lies on the employee. When they want a new device, they purchase and upgrade it. Obviously, this takes a great deal of pressure off of an organization that might otherwise be forced to upgrade and purchase the technology on an ongoing basis.
“Well framed, comprehensive BYOD policies addressing these issues and challenges can help shift cost to the users and reduce support burden on IT for non-strategic devices,” said Gartner’s Kleynhans.
Additionally, he states that BYOD in in its current form is “largely a ‘don’t ask/don’t tell affair’” where users do what they can, because they can, and devices belonging to senior executives have probably already been made in your organization.
“Prior to instituting formal BYOD, issues related to regulatory, security and compliance need to be reviewed, and an employee’s personal liability and the company’s obligation to its investors or customers may not always be linked. Consider that the loss of user-owned devices carrying sensitive data might lead to serious trust deficits that might be difficult to recover from. If you lack adequate MDM and data protection controls, instituting a BYOD program might backfire,” states Gartner.
Mobile access to company resources should only be granted incrementally based on the users role and needs within the organization, and assigning differing levels of authentication to programs, device fingerprints, location and so on.
“BYOD issues around administering diverse environments will require segmented, policy-controlled architectures, where application delivery focuses on isolating company data rather than targeting complete device control,” said Kleynhans about a concept also known as containerization.
Wherever control of a device or data is not possible, encrypt. “Approaches such as Web apps, virtualized apps and hosted virtual desktops may be used on the server side, complemented on the client side by secure access clients, sandboxes, thin clients and trusted computing devices/dongles.”
Launching BYOD is challenging, and requires a thorough due diligence. Gartner sums it up beautifully: “Extend existing policies wherever possible and ensure that the full range of interested parties such as IT, business, HR and legal are involved to cover all contingencies and legal requirements. Further, your policies need to define clearly what can and cannot be done with employee-owned devices; the level of enterprise network access; privacy restrictions; exceptions; penalties; and, most importantly, liabilities.”
In the end, though, BYOD may quickly become BYOB.