With the continuous stream of news about cyberattacks on healthcare systems, protecting your practice's security should be top priority.
But where do you start? As healthcare gets increasingly more digital, it can be extremely difficult to keep up with security guidelines - especially if you don't have a team of dedicated HIT experts on staff.
One of the biggest, complicated security problems revolves around your employees and their mobile devices; how do you make sure any access to patient data on personal mobile devices remains HIPAA-compliant?
The best thing you can do is create and adopt a solid Bring Your Own Device (BYOD) policy. If you haven't heard of BYOD policies already, they're a great way to establish guidelines for using mobile devices in your practice. Having a clear BYOD policy in place will keep your staff informed of the do's and don'ts of using personal devices for work. Plus, adopting a BYOD policy can be a way to save money; if everyone can bring in their own device to work, you don't need to purchase work-only devices.
Ready to build your own BYOD policy? Here's how.
Decide on Your Approach
There are three basic approaches you can adopt for your BYOD policy.
The cheapest and simplest option to keep devices secure. For Apple devices, this approach generally just requires that users add a 4 digit passcode to lock their device when it's not in use. Android users can enable a feature that encrypts all data on their device, and decrypts with a simple password. Practices can also purchase software for encryption.
This is pretty much the minimal security option. It's important to remember that the level of security with this method is only as strong as the user and the operating system of the device.
Mobile Device Management (MDM)
If your budget and practice are a little bigger, you may want to consider an MDM solution. MDM solutions give employers the ability to manage employee network access, or, for instance, remotely wipe a device if it's lost or stolen. It's a safer option, but you'll need to consider the costs and any employee privacy concerns (since they'll need to give you access to their devices).
Highest on the price and security food chain. This option is out of the budget range of most small medical practices. A virtual desktop option keeps all data safe and sound on third-party servers.
Write Your BYOD Policy
BYOD policies vary widely from one organization to another, but most include the following basic sections.
Expectation of Privacy
Explain what staff should expect in terms of privacy. Will they need to give you access to their devices? Will you be installing software on their devices? You'll need to spell out that when employees are using their device for or at work, they are giving up their right to privacy.
Lay out what is considered acceptable use of devices - how are staff allowed to use their devices for work? For personal activities? If you're restricting access to any specific websites or apps, list that out here.
This section should describe how your practice owns all the data employees may be accessing, and unauthorized of that information is strictly prohibited. Make it clear also that staff could potentially lose personal data if you had to, for instance, remotely wipe a stolen or lost device.
Devices and Support
List out supported devices (iPhone 4s, etc), what steps staff will need to take before they can access your practice network or data, and who to contact for any technical support.
This part is really the meat of your BYOD policy. Here you should detail all the security measures you've decided on, like requiring a password, the rules for that password, what data employees have access to, when you'll need to remotely wipe a device, etc.
Risk & Liability Disclaimers
This section includes space for miscellaneous items like, liability disclaimers or time-frame requirements for reporting lost or stolen devices. Take a look at the examples we provided below for a model.
Employee Device Exit Strategy
What steps will you take to keep your practice secure when you fire an employee? Detail that here. For instance, you might want to consider having a terminated employee give their device to an IT staff member for review before leaving.
Nextech recommends using the following wording for this section: “employees are expected to surrender their devices to company IT for an exit review upon termination of employment. Failure to do so in a timely manner (or in a specific timeframe) will result in a full remote memory wipe of all non-OS data from your device."
User Agreement and Acknowledgement
Use "I" statements that say the employee has read and agreed to the terms of your policy. Leave space for the employee to sign, print their name, and add a date.
Since this can be a lot to digest, we recommend looking over these example BYOD policies to help with your choice or wording — especially for the more legalese-sections like Risks/Liabilities:
Share and Sign
Once you have your BYOD policy created, make sure you have a conversation with your staff. Schedule a meeting to walk them through the details of the policy and make sure you explain why it’s important. A BYOD policy is not an excuse to encroach on your staff’s privacy; it’s a necessary way to protect sensitive patient data and keep your practice secure.
Once you have a solid BYOD policy in place, your practice will be that much more protected from potential cybersecurity hacks. While it might seem like a small step towards better health security, it can make a big difference in our fast-changing mobile landscape.
Do you have a BYOD policy in place? Tell us what’s working and what isn’t in the comments section below!