Beyond the Bring Your Own Device Policy: Planning and Launching a Secure BYOD System

Beyond the Bring Your Own Device Policy: Planning and Launching a Secure BYOD System

The use of mobile devices, cell phones, smart phones and tablets

has become commonplace within the medical field workplace.

Because of the trend to implement Bring your Own Device (BYOD) programs in the workplace, and the concern for continued security of ePHI, we've updated our HIPAA Privacy training. There is an additional slide in your HIPAA CME, slide #134 and HIPAA Security training, slide #58, that introduces BYOD. The slide also directs to additional information found in our Bring Your Own Device Document found in the Forms Category in "My Offices". Just type "BYOD" in the search bar.

Most practice administrators would agree that there is a pressing need to support the Bring Your Own Device (BYOD) movement, but many are confronted with finding real life BYOD solutions. Bringing personal devices into the workplace raises several health, safety and privacy concerns.

Allowing virtually any Wi-Fi enabled device on your workplace network can become a real challenge. There are several key elements that need attention before rolling out a BYOD policy and agreement.

Management and the IT department need to make provisions and implement protocols that will ensure the sanctity of ePHI. BYOD protocols need to address many questions which may include:

  • How will we keep track of devices and how they are being used while on our network?
  • How will we manage employees with multiple BYOD's?
  • How will we manage access to each of our in house medical management applications on BYOD's?

This is not a plug 'n play enterprise! Before deploying a BYOD policy, plans including (but not limited to) the following must be in place:

  • Enhancing Wi-Fi capacity and determination of additional bandwidth and coverage necessary.
  • Define resources and accessibility levels that will be available to "guest" users on your Wi-Fi setup.
  • Implementing partitioning as needed to support different levels of "staff members" (ensuring the proper and confidential management of ePHI).
  • Applications must be implemented that allow staff members to enter the practice BYOD network seamlessly. Otherwise this may end up being an IT nightmare.

You may also find the need to purchase or develop a management tool to ensure that your business applications and private content are secure. This application or tool would need the capacity to:

  • Selectively wipe and/or remove business apps and data from devices while leaving personal data intact.
  • Extend compliance engineering controls to personal devices that will engage in sharing ePHI over the practice network.
  • Be able to manage the practice apps and content separately from those on the personal devices.

The optimal solution would be an application that requires little or no intervention from IT support. This will take quite a bit of planning before deployment. The goal is to ensure network security. The outcome should be that any person attempting to access the network will be identified and authenticated against a trusted network source (e.g., Active Directory). The settings developed and defined by your IT's BYOD plan will need to handle the complexities of diverse user types and mobile OS products.

BYOD is an opportunity to maximize employee satisfaction and productivity; but care must be taken to create a secure environment for usage of personal devices in the workplace. For more information on BYOD Policies and agreements refer to our BYOD document in the Forms Section in "My Offices".

If you have any additional questions, please don't hesitate to contact our professional consultants.