More and more healthcare organizations are allowing employees to connect their own mobile devices to their network, but more than half are not confident those devices are secure.
According to the Ponemon Institute’s fourth annual Benchmark Study on Patient Privacy and Data Security, Bring Your Own Device (BYOD) programs usage continues to rise despite concerns about employee negligence and the use of insecure mobile devices.
According to the study:
“…88 percent of organizations permit employees and medical staff to use their own mobile devices such as smart phones or tablets to connect to their organization’s networks or enterprise systems such as email. Similar to last year, more than half of organizations are not confident that the personally-owned mobile devices or BYOD are secure.”
With that, it seemed like a good time to revisit a summary of a BYOD-centered webinar hosted by Online Tech last November. Co-presented from technical and legal perspectives, Online Tech’s Steve Aiello discussed the best technical practices for implementing an effective BYOD strategy and attorney Tatiana Melnik provided an overview of the legal and regulatory framework of the process. (View a video replay and the presentation slides.)
The gist: If you’re going to allow employees to use their own devices at work, you must implement a BYOD policy to protect sensitive data, keep senior management out of legal hot water and protect the organization from fines associated with data breaches.
Melnik, a Tampa-based attorney focused on IT, data privacy and security, noted that an organization considering drafting a BYOD policy should first look at their existing policies. BYOD may very well be covered in an organization’s policies on acceptable use, security, social media, remote access, litigation hold, remote working, incident response, breach notification and/or privacy. If so, organizations may simply need to add verbiage that addresses employees bringing their own device to work must enroll in a device management program and allow authorization to remotely wipe a device that is lost.
If there are problems with employees not following policies or using devices to negatively impact their productivity, Melnik said, organizations may want to address that with a specific policy addressing that kind of activity. The workforce must then be educated on the new policy and employees appropriately disciplined when applicable.
Aiello said an effective policy not only adds a level of professionalism to an organization, but it protects employees from liability and protects companies from lawsuits. He noted that regulators are focusing on mobile devices today, and that includes anybody who brings their own mobile device on-premises.
So what kind of issues should a discrete BYOD policy address? Aiello says he has seen them range from the extreme (no installing apps without corporate authorization) to too lenient. The best, he said, are reasonable and applicable.
“You have to write a policy that is appropriate for your business,” Aiello said. “What might be an appropriate policy for a not-for-profit organization may be very different than a policy for a government or military organization. And you need to be able to have the technical staffing in-house to actually implement the policy, or you can get into trouble if you’re not living up to the policy.”
Importantly, be honest about the steps you are taking to protect data. Melnik expanded on the concept of organizations not living up to their policies. She cited 32 cases brought forward by the Federal Trade Commission citing Section 5 of the FTC Act that bars “unfair and deceptive acts and practices.” In other words, companies that claimed to be protecting data in their BYOD policy, but really were not protecting that data at all.
Aiello covered some inexpensive and relatively easy-to-implement security tips specifically for mobile devices: Encryption, pass code requirements, enforcing screen lock timers, not allowing jail-break phones, enforcing an enrollment system for remote wipes, and an application and OS update policies.
He also recommended data classification and data isolation, a procedural process that tags data and moves it to different systems to maintain and control access through various methods.