3 tips to avoid BYOD breaches

CDW offers three tips on how to avoid BYOD breaches.Convenient and tempting, but devices from the outside pose risks to hospitals.

Without question, BYOD, or “bring your own device,” offers benefits to both healthcare employees and employers. It also presents security issues.

The benefits of BYOD are luring. To name a few, users are familiar and comfortable with their own devices, which increases productivity. No training is required. And employees provide the latest devices, saving hospitals the expense.

Yet, despite these benefits, security issues keep many hospitals from allowing BYOD, and with valid reasons. BYOD raises numerous red flags on the security and HIPAA compliance fronts and the bottom line is: No matter who owns the device, hospitals are responsible for any data breaches that occur.

[See also: 'Ethical hacker' calls BYOD a nightmare.]

Devices brought into the hospital are least likely to have standard security controls such as encryption, and they are at higher risk for viruses from personal apps, social media, web browsing and e-mail,  say CDW consultants in a new white paper. Such devices also lack enterprise manageability for inventory and patching, making it difficult to track their location and keep security controls updated.

So, how can you make the most of BYOD without ending up with another penalized -- and publicized -- breach incident? 

CDW offers three pieces of advice:

1. Use a mobile device management solution. Numerous options are available, with many specifically geared to the needs of healthcare organizations. With MDM, IT administrators can:

  • Control devices attached to their networks from a centralized location, no matter the operating system used, the type of device or the ownership status.
  • Reduce support costs, protect data and manage HIPAA compliance with advanced capabilities to secure devices, enforce passcodes, provide encryption, and remotely lock and wipe devices that are lost or stolen.
  • Monitor and control applications installed, access to content and transfer of information between mobile devices.
  • Configure and monitor devices, including asset tracking and reporting, and geo-location.

2. Deploy defense-in-depth security. MDM is only one component of a multi-layered security and management strategy. Other elements include:

  • Geo-fencing and contextual MDM. These innovative approaches provide a way to secure and lock down devices based on location. For example, the camera or access to certain apps on a mobile device may be disabled when a physician enters a hospital.
  • Network security. It’s critical for hospitals to upgrade networks with threat prevention and data loss prevention solutions.
  • Virtualization. These technologies can help protect data and support data-centric security strategies by keeping sensitive data from being stored on mobile devices. Virtualization can also be used to separate personal and business data on a single device, making BYOD more viable.
  • HIPAA-compliant servers. Connecting devices to VPN through these servers better protects vulnerable patient data.

3. Routinely assess infrastructure capabilities and costs. A robust network that incorporates both wireless and cellular components can optimize performance and control costs in the face of burgeoning demand. Hospitals should:

  • Use telecom expense management solutions to track carrier costs and data usage.
  • Control data usage costs by negotiating unlimited plans with wireless carriers when possible, as well as encouraging Wi-Fi use when available.
  • Carefully evaluate and select wireless carriers to ensure reliability and security for mobile device use.
  • Take advantage of carrier plan discounts available through GPOs. 
  • Anticipate annual increases in mobile user demand and upgrade wireless networks as needed to maintain fast, reliable performance.

Hospitals that implement and consistently enforce an enterprise-wide mobile policy will go a long way in avoiding trouble, CDW added. In addition to training staff on breach security, don't forget to establish and document clear guidelines for downloading apps.

And it wouldn't hurt to create a user’s agreement for BYOD, spelling out the  responsibilities and liabilities for both users and the hospital.

[See also: 'Ethical hacker' calls BYOD a nightmare.]