Four of the scariest letters in the English language for health IT executives are B-Y-O-D.
This, of course, is short for “bring your own device.”
While usage of personal smartphones and tablets has increased in healthcare settings, unease from CIOs and IT leaders has not gone away. According to the Ponemon Institute’s Fourth Annual Benchmark Study on Patient Privacy and Data Security, 88 percent of organizations allow employees and medical staff to connect personal devices to their organization’s networks. However, the same survey revealed more than half of organizations are not confident that the personally owned mobile devices are secure.
Studies have shown that when BYOD works, it can increase efficiency and productivity, improve physician morale, and decrease costs for infrastructure. However, many CIOs worry that the privacy implications and risks are too high to justify.
Can providers and IT leaders find themselves in a win-win situation? Yes, says Melissa Markey, a healthcare technology lawyer at the Indianapolis-based Hall, Render, Killian, Heath, & Lyman. Markey advises providers on how technology can be a benefit while presenting risks to the patient, and how to protect the patient from those risks. She recently spoke with Healthcare Informatics Senior Editor, Gabriel Perna on the risks and benefits of BYOD as well as implementing an effective BYOD protocol that will leave providers happy and IT executives at ease. Below are excerpts from part one of that interview.
As a healthcare technology lawyer, when did you start getting inquiries on BYOD policy?
A long time ago, doctors had pagers on their hips. Then it became two pagers. It eventually became inconvenient to keep track of multiple devices, and as phones became smarter and tablets became more capable, and applications became richer in functionality, [providers] started saying, ‘Why do I have to have multiple devices? Why can’t I just use one device for everything I need and make my life simpler?’ The CIOs recognized that it was necessary to address that desire for two reasons. First, you don’t want rogue devices on your network. Number two, the reason we exist is to care for patients. If we can take an innovation and use it in a way that makes it more efficient for healthcare providers to take care of patients, that’s a win-win situation. That’s what we’re trying to get to. I started talking to clients more and more, who were asking, “How do we approach personal devices in a way that we can make it safer, make information more readily available to our providers to let them take better care of patients, while making sure that our network is secure and that patient information is secure.
So you’ve worked with hospitals and healthcare facilities on this directly?
There are two different camps when we get the initial call. The first camp: “Tell me how I can say no.” The other camp: “Tell me how I can do this safely.” Typically, when I get a “Tell me how I can say no” call, I try let them know that saying no is not going to be effective. It’s sort of like telling a teenager they can’t hang out with their friends. It’s not going to work. What can be effective is coming up with reasonable, rational policies, educating people about why you need to have those policies and why they’re not random policies, and helping them recognize the reason is patient-care focused. If you help your providers understand what you’re doing, they might not be thrilled about it but they tend to be willing to be compliant. If you say, “This is the policy, you have to comply with it, and we won’t talk about it.” That’s not an effective policy.
Is security the only reason, or is it just the main reason these guys are saying, “Tell me how I can say no”?
The security aspect is an important thing to focus on. I don’t think it’s the only reason. There are a lot of operational issues that go into a BYOD program. Because instead of saying, “We’re going to use this mobile phone and I’ve got someone training on this phone,” you need to train the help desk to deal with 12 models of phone, 4 different operating systems, and on top of everything else, 492 different weird applications that people have, because it’s their phone. A lot of apps are going to mess with your phone and functionality, when your phone won’t work and your Outlook calendar won’t sync, and they call the help desk and say, ‘None of my calendar is coming through,’ your poor help desk has to figure it out. There are big operational considerations and it does make the IT department’s job harder. It’s understandable to say, “Tell me I can tell them no,” it’s not just the right thing to do.
In terms of security risks, what can those lead to if not properly monitored?
To be perfectly honest, there are several components of a security risk. The biggest security risk is that these devices get lost. People take them out of their pockets and put them on the table at lunch, and they walk away and leave them. They leave them at the bathroom. They leave them in taxis. They leave them all over the place. They get lost. We then have a phone wandering around with protected health information (PHI) on it and we can’t say for certainty that there’s no breach. That’s a big problem.
Another problem is that while you may information encrypted, it’s not always encrypted. For example, text messages are freely visible a lot of times on the telephone. It’s easy for anyone to ease drop. Those apps that everyone loves are literal information gathering devices. They take so much information and nobody knows it because no one bothers to read to the privacy note. You don’t know what’s happening on the back end and some of them are bad apps, they sometimes provide a route into the hospital network. That type of security concern is out there.
The other concern is you have data stored on your personal device that is personal data, and now you have corporate data on that device. It leads to the mixing of personal and business, which can lead to other concerns. You end up blurring those lines and there are a host of legal considerations that go along with that. For example, if you’re an hourly worker and have a BYOD program, and work shift ends and you go home, and you start reading emails at home, are you logging in for overtime? Do you need to be paid overtime? That can raise labor standards issues. If you have data on your phone that becomes the issue of litigation in the future, and you have to put litigation hold on that data, it may mean we need to take custody of that phone for a little bit. There are whole host of legal issues. You need to be thorough when putting together a BYOD policy.
Part 2 of this Q&A will be posted next week. Stay tuned!