Skip to content Skip to navigation

Q&A: Implementing an Effective BYOD Protocol (Part 2)

August 21, 2014
by Gabriel Perna
| Reprints
Melissa Markey

Can providers and IT leaders live in peace when it comes to the controversial “bring your own device” (BYOD) craze in hospitals and health systems?

Yes, says Melissa Markey, a healthcare technology lawyer at the Indianapolis-based Hall, Render, Killian, Heath, & Lyman. Markey advises providers on how technology can be a benefit while presenting risks to the patient, and how to protect the patient from those risks. 

Markey recently spoke with Healthcare Informatics Senior Editor Gabriel Perna on the risks and benefits of BYOD. In part one, Markey focused on the risks of BYOD and why many IT leaders want to just say no to their providers who want to use their iPad. In part two, she talks about implementing an effective BYOD protocol that will leave providers happy and IT executives at ease. Below are excerpts from that interview.

What is involved in an effective BYOD protocol?

I put it into a very generally “who, what, when, where, why, and how” format.

Who needs to use a BYOD device? Not everyone should be able to access company data on their personal device. You should need a reason to need access to company data when you’re not sitting at static location. Also, you need to identify who has the authority to approve a BYOD request and in the policy, identify who owns the data.

What kind of data can go on that device? What kind of applications can on the device? Are you going to set up an approved app store that shows you’ve vetted certain apps? Or are you going to let folks download any app they want and deal with the problems later? What controls are needed on device? Are you going to require mobile device management software? How complex are you going to require passwords to be? How long before the screen lock comes on? All of those types of technological/security control questions need to be addressed.

You have to answer what devices are going to be OK. Even though you are going with a BYOD policy, there may be decisions that you are only going to approve devices you are familiar with. There may be limits on brand specifications, operating systems. Whatever the technology guys decide is reasonable. Then you have to think about what your service policy is going to be. Is your IT help desk going to fix phones when they are not working? If they’re not going to fix phones, this means the phones are going to the carrier, and what are the implications if you’ve got confidential data on the phone?  

Why is documenting why users will be given access to data on that device. Why access can be terminated and the details behind the reasoning allowing the use of the BYOD.

When talks about when is data access is granted, when it’s removed. When is also when was the device lost and when do you have to report the device is lost?

Where is where the devices can be used and where they can’t be used? And are there care areas where special rules have to be followed? For example, there are a couple of cool apps for tablets that the orthopedic surgeons and oncology surgeons like to use that overlay the imaging modalities over each other. If you are taking your iPad into the operating room (OR), it’s probably not very clean by OR standards. There needs to be special rules for taking BYOD into a special care area, so you’re not contaminating it.

How is how do you get permission to use the device? How is mobile device management applied to the device? How is the device wipe administered? How do you get the message from HR that someone is being terminated so we can decommission them out of the BYOD program? How is the mechanics of how this actually works.

What type of data do you recommend using on mobile devices?

My preferred approach is to have the data not residing on the device. I’d rather the data be on a server and transmitted on the device. You can view it on the device and save it on a server. We lose these devices all of the time. If it’s viewed on the device and saved on the server, I have fewer concerns. They are not completely gone but fewer.  One thing we need to be really careful about is our photographs. Sometimes we have caregivers who take photographs of wounds, injuries, bruises, those kinds of things. Then they forget that they have them on their phone. Then you’ll have a family members pick it up and see the patient photos. Obviously, that’s a bad thing. Maybe you should think about using a special camera for photographs, so it doesn’t accidentally get uploaded to iCloud.

Overall, do the security risks outweigh the benefits of mobile devices or vice versa?

If you’ve got a good mobile device policy, I think patient care can be improved by mobile devices. I think we have to use them smartly. If we don’t think about what we’re doing and we’re not smart about the way we use mobile devices, it could cause harm. You have to be on guard against that.

For example, I know healthcare providers like to text information back and forth. There may be times where that is an effective way to communicate, although Joint Commission rules you cannot text orders. But if you ever want a divot picture of the risks of that kind of communication, just Google autocorrect and you will see how often autocorrect distorts what you are trying to text. So if you are going to do it, you have to double check what you just typed and make sure when you read something, it makes sense. Make sure you’re in the moment and paying attention. You can’t use mobile devices when your attention is divided in healthcare. It’s easy to have errors. If you’ve got PHI on your phone, you have to be extremely vigilant that you know where your phone is at all times.