Could a Strong BYOD Security Policy in Healthcare Actually Deter People from Participating?

15 07 2012

Over the past several years, the healthcare industry has seen a large push towards the greater use of mobile computing.  Quality of care is improved through providers having access to electronic medical records directly at the point of care (ex. patient bedside), rather than at a remote nurse’s station.  However, the cost of purchasing a large number of appropriate mobile computing devices can be extravagant, especially given the additional cost of maintaining the environment necessary to support mobile devices (ex. wireless infrastructure, mobile software development, etc.).  Thus, healthcare institutions have begun examining and implementing a policy known as BYOD (Bring Your Own Device).  Healthcare providers who already own mobile computing devices can use them in place of an institution-supplied device, thus potentially saving the institution from having to invest money in device procurement and maintenance.

Naturally, a BYOD policy would raise a significant number of questions and issues for an IT security analyst.  At a most basic level, a BYOD policy is challenging because you are taking devices that are neither owned, nor maintained by the institution, and incorporating them into your existing infrastructure.  Aside from the fact that there are a wide variety of devices and operating systems available to customers, IT security professionals are essentially being asked to grant access to subjects that are outside the traditional scope of control within the institution.

Personal devices serve a different purpose than due company-owned devices and thus have to be thought of differently (McNickle 2).  According to a white paper published by MobileIron, which was cited in a Healthcare IT News article, “[Personal device users] download more apps.  So with BYOD, devices may fall out of compliance with corporate policy more frequently” (McNickle 2).  The article suggests that IT departments implement a different set of security policies for personal devices than they do for company devices (McNickle 2).  Yet how is this accomplished without, in effect, deterring a device owner from wanting to participate in BYOD?  After all, this is supposed to be a program that can potentially save healthcare institutions money and improve quality of care at the same time.  Given the fact that you are dealing with peoples’ personal property that is used outside of the workplace, how much can you ask of these individuals before they decide that it’s too much of a hassle to participate?  As the cited white paper notes, there is a challenge as to whether users will accept he burden of corporate IT security policies being applied to their devices.  “If the trust level of the personal device is so low that security requires extensive usage restrictions, the employee’s personal mobile experience will be damaged, and neither the [security] policy nor the BYOD program will be sustainable” (McNickle 2).

BYOD not only has to deal with the challenges posed by the mere content and data stored on personal mobile devices, but also has to take into consideration the mindset of the users at play in this situation.  In a response to a blog post entitled “BYOD And The Healthcare Dilemma,” a contributor noted that a challenge at their institution was that providers often sent private patient data to and from personal devices via unsecured communications channels, such as text messages (Johnsen).  On a company-owned device, it’s within a company’s right to disable unsecured communications channels.  But with personal devices, specifically smartphones, it would be unrealistic to prevent such devices from accessing these channels.  As this contributor notes, they were eventually able to find a solution that removes the messages from the device once they have been sent.  It was restrictive in that it prevented BYOD users from utilizing their native text messaging functions and thus was naturally met with some resistance, but it was ultimately accepted (Johnsen).

According to the white paper published by MobileIron, preserving the core functionalities and device usability is essential to the success of a BYOD program.  Failing to do so can be a deterrent to participating in such a program and does little to serve both the company and the user.  Users will be discouraged from participating if the BYOD requirements prevent users from enjoying all of the benefits that their devices provide to them outside of the workplace (BYOD Strategies 5).  Thus, it is suggested that the company establish a clear “social contract” (BYOD Strategies 5) of sorts with the affected user, which will create a compromise that balances security requirements against the user experience.  While it may not be appropriate to track a device’s location, it may be ok to request an application inventory from the device to insure that there are no potentially malicious applications installed on the device.  Most importantly, it is vital that an institution develop a BYOD policy that is clearly understood by the user-base and not merely presented to the user-base in the form of a long, technical contract containing esoteric terminology (BYOD Strategies 5).

In conclusion, I believe that healthcare institutions can implement a successful BYOD policy that balances both the needs of the user-base and the need to protect patient information.  The key to accomplishing this is establishing a compromise between both parties.  IT security departments must realize that they cannot simply apply traditional access control models used for company-owned devices to personal devices, yet at the same time, users must realize that the information they will be accessing on their devices is confidential and must be protected.  If healthcare functions can be adequately protected while having minimal impact upon a user’s use of the device outside of the institution, then BYOD can provide major benefits to healthcare institutions.

____________

“BYOD Strategies: Chapter I.”  MobileIron.  2012.  2011<http://www.mobileiron.com/images/stories/mi/resources/whitepapers/wp_byod.pdf&gt;.

Johnsen, Elly.  Weblog comment.  “BYOD and The Healthcare Dilemma.”  FortiBlog: Reports from the   Threat Landscape.  Fortinet, 29 March 2012.  Web.  3 July 2012 <http://blog.fortinet.com/byod-and-the-healthcare-dilemma/comment-page-1/#comment-352835&gt;.

McNickle, Michelle.  “6 Keys to Developing a BYOD Program.”  Healthcare IT News.  MedTech Media,     15 March 2012.  Web.  3 July 2012 <http://www.healthcareitnews.com/news/6-keys-developing-byod-program?page=0,1&gt;

Advertisements

Actions

Information

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: