[BreachExchange] 5 things healthcare organizations need to consider before embracing BYOD

Audrey McNeil audrey at riskbasedsecurity.com
Tue Jan 9 20:24:01 EST 2018


Bring your own device (BYOD) programs offer healthcare organizations
considerable benefits, but they also come with significant risks. In this
guest post, Brad Spannbauer, senior director of product management and
HIPAA privacy & compliance officer at an internet services provider,
details the potential pitfalls healthcare facilities should consider before
adopting a BYOD program.

The BYOD movement is gaining momentum in America, and fast. With a reported
59% of enterprises now allowing employees to use personal devices for work
purposes, and a further 13% planning to implement BYOD within a year, BYOD
looks like it’s here to stay, according to an article on Insight.

And when you consider the benefits of BYOD over traditional practices, it’s
not hard to see why adoption is on the way up. Increased productivity,
boosted staff morale and reduced hardware costs are all frequently cited as
major advantages. One recent study quantified the time savings of BYOD at
58 minutes per employee, per day, which works out at a 34% increase in
productivity. Another studyestimates that companies with an effective BYOD
policy in place can expect to save on average $350 per year, per employee.

Within the healthcare industry in particular, mobile devices are solidly
entrenched in clinical settings. A HIMSS Analytics study in 2017 asked
healthcare workers which devices they used to access information to provide
and coordinate patient care. The results were striking: tablets were cited
by 80% of respondents, followed by Smartphones at over 42%. So regardless
of whether it’s hospital provided or BYOD, mobile technology has clearly
found a place in healthcare environments.

Risks of BYOD

These statistics considered, it’s clear why so many organizations are quite
literally opening their doors to employee-owned devices. However, for all
the potential benefits BYOD offers, there are equal risks, and those risks
are particularly high within healthcare organizations.

According to Ponemon research, a staggering 90% of healthcare organizations
have been hit by at least one data breach in the past two years, and nearly
half have had more than five data breaches in the same time period, at an
average cost of $2.2 million. While criminal activity is a leading cause of
those attacks, employee negligence and lost or stolen devices continue to
be the primary instigators.

In fact, nearly 50% of large data breaches in health care were attributed
to theft and loss in 2017, according to the Office of Civil Rights at the
U.S. Department of Health and Human Services. To make matters even worse,
28% of doctors have reported storing patient data on their mobile devices.
Yet many of those devices aren’t password protected and may be infected
with malware. That’s a potential data breach just waiting to happen on a
quarter of all such devices in use.  Even with robust policies in place,
BYOD is inherently risky, and so long as humans form part of the security
chain, there will always be weaknesses. Therefore, before allowing BYOD,
organizations should consider the following potential pitfalls very

Increased device vulnerability

Device loss and theft is an unfortunate inevitability; even the most
cautious of employees misplace things from time to time. But when those
misplaced things provide gateways to sensitive data and company networks,
major issues can arise. The reality is that by allowing employees to use
the same devices both inside and outside of work, devices are more
vulnerable and organizations are at higher risk of corrective action and
even fines for non-compliance with state and federal healthcare privacy

Compliance complications

BYOD presents serious compliance challenges for healthcare organizations,
particularly when it comes to meeting HIPAA’s security and privacy rules.
>From making sure that all employees are implementing necessary physical
safeguards, including strong passwords and multi-factor authentication, to
ensuring that PHI is only ever exchanged via HIPAA-secure tools that
utilize encryption, there’s much to consider for compliance officers and IT
departments. This makes developing a robust BYOD policy critical for HIPAA
covered entities.

Legal difficulties

It’s possible that from time to time, an employer may need to gain access
to an employee’s device to access data, or install or update applications.
But what happens if during that period of access, the employer stumbles
upon some incriminating information, accidentally deletes personal files,
or finds out something about the employee that was intended to remain
private? This raises lots of complex legal questions that employers must
consider before rolling out BYOD, all of which should be addressed within a
clear set of policies and procedures.

Shadow IT

In simple terms, shadow IT is used to describe any IT system being used
within an organization without the organization’s knowledge or consent;
this could be anything from personal email accounts to workflow tools.
While most employees who use unauthorized tools and applications do so
without malicious intent, nevertheless they’re introducing security
vulnerabilities which are almost impossible to identify. This is a growing
issue that is only amplified by BYOD; one report estimates that by 2020, a
third of successful attacks experienced by enterprises will be on their
shadow IT resources.

Looking specifically at concerns surrounding BYOD in health care, a poll of
535 healthcare IT and IT security professionals last year found that among
the top security threats to healthcare organizations were employee-owned
mobile devices (76% of respondents) and unsecure mobile devices (72% of

Employee productivity

As much as BYOD can help boost productivity, it can also have the opposite
effect. Allowing employees to manage work on devices, which are also likely
to contain personal apps – Facebook, Whatsapp, iMessage and so on – can
introduce unwanted distractions. Even with the best will in the world, it’s
difficult to ignore notifications, work related or otherwise, and BYOD only
makes that challenge harder for employees.

For healthcare organizations considering BYOD as a way of working, it’s
essential that first they develop crystal clear policies to address the
areas outlined above, educate employees on the risks and rewards, and
invest in tools that help to facilitate secure workflows – simply hoping
employees will adhere to best practices isn’t enough.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180109/bce7ef89/attachment.html>

More information about the BreachExchange mailing list