How to ensure BYOD doesn't put health data at risk

There's no stopping the 'bring your own device' wave within the healthcare industry, but there are good strategies and best practices healthcare organizations can embrace to ensure device, systems and data security while not encroaching on workflow processes, patient care or the use of a mobile device.

Healthcare IT organizations should be taking a proactive approach to BYOD, initiating a well-organized effort that encapsulates everything from training for the mobile device user to adopting strong security technology and policies, experts advise in a report.

As FierceMobileHealthcare has reported, getting an early start and taking a hybrid approach are key in developing a BYOD program, according to John Donohue, associate CIO of technology and infrastructure at Penn Medicine.

Today's BYOD security effort must include substantial employee training regarding device security and the need to protect data, healthcare IT leaders stress.

"As you look at where we're at in terms of technology, information, information security and the healthcare landscape in general, the one thing that we can't engineer for is people," Jeffrey Wilson, director of Information Services, Assurance and IT Security at Albany Medical Center, told "There are no controls that we can put in place."

Employee training must be supported by comprehensive policies that encompass everything from device use to data protection. There should be policies on what's allowed with email, image storage, sharing data and patient insight communication, to highlight a few topics.

"I think organizations which define the scope ahead of time--and then build policies, procedures and security controls around that--things will work out well," Daniel Bowden, CISO, for the University of Utah, University of Utah Health System, told

Use of encryption technology is must, according to Bowden, as is knowing where protected health information (PHI) is located and adhering to the HIPAA Security Rule for encryption.

"The only way to [address the Security Rule] is use the risk analysis and understand how and where people are using PHI and if they're using mobile devices," he said. "Those devices need to be encrypted in order to protect the data. The encryption is a critical tool."

Yet, as research reveals, only slightly more than half of healthcare employees (59 percent) are using full-disk encryption or file-level encryption on mHealth devices used at work.

For more information:
- read the article

Related Articles:
How hospitals handle mHealth security
How to establish an mHealth BYOD policy
Weak mobile device security bodes big risk for hospitals
Mobile device security in health industry 'immature'