3 mainstays of a secure BYOD policy


Instances of healthcare organizations failing to keep a tight lid on patient records have been racking up over the past few years. And the fines for those data breaches have been substantial. When you consider the increasing prevalence of mobile devices in healthcare and the large sector of the industry clamoring for BYOD, many organizations face a confounding dilemma: Employees are happy and enabled to work more efficiently, but prone to costly and dangerous data leaks.

Fortunately, there are steps any organization can take to safeguard communications, records and devices. According to Ryan Kalember, chief privacy officer at WatchDox, BYOD need not be a gateway to insecure data. He shared three pillars of a secure communications strategy.

1. Focus on a document's history.
Remember paper files? A doctor typed something up and maybe made a copy or two. One went here; another went there. They were certainly not immune to tampering or theft. Worse, when changes were made to one version, it could be a massive undertaking to find and revise all other copies of a file.

As documentation turns from marks on paper to bits on a drive, that issue persists. "The proliferation of mobile devices has fundamentally changed how people interact with documents," said Kalember. He noted that due to the fluidity of digital files, it is easy to change, copy, delete and annotate things, but their digital nature provides for a little more control. "Most of those documents are pretty dumb," he added. "They don't have a very good idea of what should be done with them. They don't know what other versions of themselves exist out there. They're just documents." The response to this, according to Kalember, is to implement a management system where documents can be synchronized, with permissions built in to them, enabling an office to keep track of who has accessed and edited them.

2. Make sure data is encrypted.
If there is one thing that's certain in the safety of an electronic system, it's that nothing is perfect and that taking steps to protect data is paramount. It can be tough medicine to swallow: Data will get lost or stolen. iPads and USB drives are going to be lost or stolen and passwords will be swiped. Should any of these "unthinkables" happen (and they do, all the time), Kalember said that being prepared is what counts. He pointed out that "the fines are starting to develop a theme. It doesn't matter where the device goes, if the data is unencrypted and unprotected, that's a massive HIPAA violation."

3. Know what your team uses, and secure it appropriately.
Everybody has favorites. Some people are diehard Evernote users. Some people prefer Android, and others wouldn't give up their iOS devices for the world. Kalember said that the time when a hospital or medical practice can dictate the terms of which devices get used are over. It's also time to stop fearing the onslaught of mobile devices that staff members want to sling in the workplace. "People who are using an iPad want to do so in a sanctioned way," commented Kalember. "From an enterprise standpoint, they aren't doing what they need for security." He noted that there are a lot of ways to approach this, but that many are still cumbersome.

These strategies can range from mobile device management software where doctors have to "install special software that can control what apps are on a device, what policy controls are on it," to using a virtual private network that entails "sending all of [a device's] traffic back home through the healthcare provider's network." Those solutions, according to Kalember, are "very unsexy things to talk about." The solution? Kalember advocated taking a "data-centric approach," where "all of the contents would be encrypted, [and an] authorized viewer would have to authenticate to get access."