Cheatsheets and Recommendations- How Hospital IT Departments Can Stop Worrying and Love BYOD

By Carrie Mulcahy, Director of Corporate Marketing

How would you feel as a doctor if the jab of a syringe can be the difference between life and death of a patient?

Dr. Steve Horng, an emergency physician at Boston’s Beth Israel Deaconess Medical Center (BIDMC) was wrestling with this dilemma.  A patient suffering from massive brain bleeding was wheeled in on his shift, but the treatment was complicated because this patient was allergic to most blood pressure medication that can control hemorrhages.

And to make matters worse, the patient was in no condition to specify the names and dosage of the drugs he was allergic to.

All that information was in the patient files but Dr. Horng didn’t have the time to log into a computer terminal at the nurse’s station and pull up the data. Thanks, however, to the hospital issued Google Glasses he was wearing he could instantly get a notification about the patient’s allergy information and was able to prevent the situation from deteriorating.

While BIDMC’s Google Glasses are hospital issued, many other hospitals are inundated with doctors and nurses using their own mobile devices like smartphones and tablets to record patient data, collate it and use it for diagnosis.

Flip side of BYOD

However, adopting Bring Your Own Device (BYOD) policies without proper safeguards can be risky.

A few months ago mobile device management (MDM) system at Aviva UK, an insurance giant was allegedly compromised by hackers. According to an inside scoop attackers gained access to the MDM system, perform a total data wipe on the 1,000 iPhones associated with the system and then took down the MDM server.

And to rub salt on the wounds, the hackers apparently posted taunting messages on the iPhones before the data wipe.

pic website
Caption: Screenshot of message posted on Aviva devices

While Aviva UK has formally denied that any business data was accessed or lost it has been rumored that the breach, possibly caused by stolen security credentials caused millions in damages.

If you are a hospital CTO or CSO this scenario is scary. If there are no security policies governing the use of personal devices, a stolen mobile phone can be used by malicious attackers to breach hospital networks and cause any kind of havoc, from data thefts to system crashes.

HIPAA and BYOD- regulations that can ruin your day

Another important factor to consider in the event of a data breach is being HIPAA compliant.

One of the many swords hanging over your heads in the event of a BYOD related mishap is regulator smackdown. The healthcare industry is one of the most heavily regulated and HIPAA allows for penalties that range up to $1.5mn per violation and potential .

What are some of these violations? As laid out by HIPAA you can be penalized for

  • wrong patient information
  • Releasing unauthorized health information
  • Releasing information to an unauthorized party
  • Releasing information after expiration of authorization date
  • Unprotected storage of protected health information (PHI)
  • Improperly disposing patient records

Step into the real world and the number of violations rack up very quickly. Since 2009, the US has seen:

  • Over 1,000 PHI breaches involving at least 500 patients
  • Over 100,000 PHI breaches involving less than 500 patients
  • Cumulatively, PHI of10% Americans exposed because of healthcare service provider breaches

The HIPAA police- the Department of Health and Human Services (DoHHS) and Office for Civil Rights (OCR) – are also planning to ramp up their enforcement activities to compel facilities into compliance. The OCR, since June 1, 2013 has already levied fines on service providers totaling more than $10M, including $4.8M against New York Presbyterian Hospital and Columbia University.

Considering that the OCR is mulling even higher fines for violations, and taking into account the hit to reputation and expenses incurred in completely rebuilding networks after a breach can you afford to sit tight and neglect gaping security holes?

BYOD and doctors- it’s all because of an app

Regardless of the security risks, BYOD is no longer Bring Your Own Device. It has become Brought Your Own Device, a trend that no one in authority can stop because of strong user demand. Consider these data points from a Black Book Research report which surveyed 17,000 doctors

  • 89% of primary care and internal medicine doctors are using smartphones
  • 51%  of doctors are using tablets
  • 100% of doctors looking for a replacement Electronic Health Record (EHR) system want a mobile app as a must have feature

This user demand is primarily fueled by the explosion of medical apps that are designed for smartphones and tablets, in part because of the financial incentives offered under the Medicare and Medicaid EHR Incentive Programs

These medical apps, most of them designed for iOS and Android devices can act as a complement to medical devices and help health care professionals do various tasks like

  • Look up safety information concerning drug prescriptions
  • Carry out health insurance formalities
  • Perform calculations like BMI and GFR
  • Access medical news and research, including summaries of papers
  • Provide evidence based recommendations
  • Connect with each other through HIPAA compliant faxing, emailing and texting

Doctors who are the revenue generators have largely dragged hospital managements, kicking and screaming, into the BYOD era. However, hospitals must also be cognizant of certain general concerns that their staff might have, as illustrated in a Gartner 2014 survey about BYOD titled Bring Your Own Device: The Results and the Future

 pic website 2
Caption: Employee concerns around BYOD (Gartner)

What makes for a good BYOD security policy?

So how can you balance the convenience offered by user owned mobile devices while also adhering to the regulatory requirements about data security and privacy? Your approach has to be two pronged- user education and technical implementation.

Here are some recommendations to get you started:

1) Perform security audits and risk assessment

A thorough security audit and risk assessment will tell you whether your wireless network can handle user devices. It will uncover vulnerabilities that need to be fixed. It will also give you an idea of what types of devices you can support based on your IT department’s capabilities. You can then create a list of approved devices allowed on your network.

Without a thorough risk assessment in place your BYOD plans will be dead on arrival.

2) Educated users make for a secure network

Did you know that several HIPAA regulations are violated if medical staff exchange patient information through texts (when you text from your phone the message is not encrypted)?

Is your staff aware of general best practices related to security like not clicking on suspicious links while on the hospital network? Have you talked with end users before deciding what types of devices or apps are allowed on the phone, or how to balance professional use with personal on the same device?

Getting users on your side and interacting with them before rolling out BYOD policies can make everyone happy.

3) Secure data, not devices

In health care data is sacrosanct. Therefore your BYOD policies should focus on keeping the data safe. This means mandating the use of apps that capture, encrypt and store data on a secured cloud, essentially turning user devices into thin clients.

Following the same philosophy, make it possible for doctors and nurses to view PHI from any device, personal or hospital owned, using the same credentials.

4) Encourage user compliance with self service

If you want your network to be secure, you have to go to extra lengths to make BYOD policies user friendly and simple. Make device enrollments low touch and simple. Push OS and app updates, settings, configurations and profiles over the air so that users can automatically access email, calendar, VPN and other resources needed to do their jobs.

You can also advance the cause of making your network more secure by offering users an easy way to reset PIN and passwords, geo locate a lost device from a web portal or performing remote and selective data wipes on stolen devices.

5) Restrict device access to certain types of data

Implementing user access control on mobile devices is critical both from the point of view of security, convenience and patient safety. For example, you might only allow tablets and desktops to access X-rays and scans because of the larger form factor- users might miss out something important while checking out scans on smaller smartphone screens

Your BYOD policies must also exclude unauthorized devices like jailbroken iPhones or new devices on the network from accessing any kind of data.

BYOD and hospitals- walking on the razor’s edge

As mobile devices become more ubiquitous the percentage of health care professionals who use their own devices at work will reach high double digits. IT departments will be under increasing pressure to cope with the influx and ensure  that networks function smoothly while also ensuring compliance with regulations.

However, a well thought out policy and appropriate technological solutions will ensure that BYOD deliver on its promises of cost savings and afford medical staff the freedom and convenience to operate their own devices.