How to Choose the Right BYOD Security Policy for Your PracticeJune 26, 2014 by Forrest Burnson
As the modern healthcare workplace becomes more digital, many private practices are adopting “bring your own device” (BYOD) policies that allow employees to use their own smartphones, tablets and laptops both in and out of the office.
Implementing a BYOD policy can be particularly attractive for small and midsize practices, as it cuts down on the cost of purchasing company-owned computers and mobile devices while providing employees with greater flexibility and mobility.
But without stringent security programs and protocols in place to manage employee devices and the information they’re used to access, your practice might find itself in violation of numerous Health Insurance Portability and Accountability Act (HIPAA) regulations.
With an estimated 80 percent of healthcare professionals now accessing work documents on personal devices outside of the office, “the BYOD trend has really begun to complicate things,” says Jennifer Searfoss, CEO of the Searfoss Consulting Group, a Washington, D.C.-based healthcare consulting firm.
According to Searfoss, mobile and computer technology has outpaced the healthcare industry, placing a significant burden on healthcare providers to comply with HIPAA regulations. Though more practices are taking smarter approaches to securing their patients’ information, “it’s still the wild west,” she says.
We spoke to Searfoss and several other experts to learn how practices can adopt a BYOD security policy that’s both HIPAA-compliant and best suited to their individual security needs.
Device Encryption: Ideal for Smaller Practices/Budgets
While all industries are vulnerable to security risks, healthcare providers are under increased pressure to protect data due to the lucrative black market that exists for patient health records, where a single record can fetch $50.
“The value of a health record is much, much more significant than credit cards or debit cards,” says IT security expert Larry Ponemon, founder and CEO of the Ponemon Institute. This is because, unlike a credit card, patients can’t simply “cancel” their health record if it’s compromised, and thieves can use it in multiple ways, such as filing false claims or ordering prescription medication.
As such, Searfoss says, HIPAA stipulates that patient data can only be accessed via encrypted devices. “The presumption is that you’ve lost data unless you’ve accessed it on an encrypted device,” she explains. “Everything needs to be encrypted.”
Along with being HIPAA-mandated, device encryption is also one of the easiest and least expensive BYOD policies a practice can implement to protect patient data. For Apple users, it’s as simple as enabling the passcode feature on iPhones and iPads, which requires a four-digit code to be entered in order to access the device. After 10 failed passcode attempts, the device automatically wipes its contents to prevent unauthorized use.
The iPhone 5S adds another layer of security by allowing users to use their fingerprint as their passcode to access the device. Android users, meanwhile, can protect their devices using an available full-disk encryption feature, which encodes all data on a device and requires a PIN or password to decrypt it.
There are also enhanced software encryption services practices can use, which generally cost no more than $100 per device per year:
➔ Marble Messenger allows physicians using iOS or Android operating systems to safely send encrypted texts and files through several layers of security, and includes a feature that causes the files to self-destruct after they’ve been viewed for a certain amount of time. “Think of it as Snapchat for secure enterprise messaging,” says Dave Jevans, founder and CTO of Marble Security.
➔ Sookasa operates on the Dropbox platform to provide users with another level of HIPAA-compliant encryption on the popular file hosting service. The service allows users to easily select who can view certain files, and provides an “audit” feature allowing users to see who has viewed files, and for how long. The service works on iOS, Android and Windows devices.
➔ Keeper Security, a digital keychain of sorts, protects users by generating different high-strength passwords for different logins and accounts, which can only be accessed through the service’s password-protected online portal. Keeper Security also works on iOS, Android and Windows devices.
The biggest drawback to device encryption, however, is that the strength of a device’s security is dependent on the end user. If the user only password protects the lock screen to their phone (and doesn’t encrypt the applications and files on it), then a hacker only needs one proverbial “key” to gain access.
MDM: Ideal for Midsize Practices With Employees On the Go
Mobile Device Management (MDM) solutions give practices remote control over employee devices. They allow a system administrator to monitor and manage the security of these devices by granting them access to specific areas of a company’s network and remotely wiping or locking the device, should a security breach occur.
MDM solutions also allow administrators to detect if any devices in the network have been exposed to malware or viruses. “It’s a smart tool to have,” Ponemon says.
By giving employers the ability to remotely wipe a lost or stolen device, MDM thus provides a level of security beyond device encryption to ensure an entire network isn’t compromised if one device is hacked. Because of this, MDM is ideal for midsize and larger practices with more devices in their network and where physicians often work remotely, perform in-home visits or travel frequently.
The drawback with implementing certain types of MDM solutions is that, by giving an employer the ability to remotely wipe the contents of an employee’s mobile device, personal files are also at risk of being deleted in the process.
Some MDM solutions allow enterprises to configure privacy settings to prevent inappropriate personal data collection and full remote wiping, effectively creating a company-controlled partition on the user’s device.
Additionally, some MDM solutions also feature a geolocation service that pinpoints a device’s location, meaning a remote wipe might not be necessary if the user is able to locate the lost device before it ends up in the wrong hands.
Despite this, some users might not feel entirely comfortable granting their employers remote access to their personal devices, so it’s imperative for employers to outline clear terms and conditions of use to staff.
Though there is a trade-off between security and employees’ privacy, MDM solutions typically will not break the bank, Ponemon says. Generally, MDM solutions cost between $20 and $100 a year per device.
Virtual Desktop: Ideal for Larger Practices With Bigger Budgets
A virtual desktop allows users to access sensitive data via a platform in the cloud. Unlike a cloud hosting service such as Dropbox, which is essentially a hard drive in the cloud, virtual desktops function as operating systems in the cloud, providing users with virtual access to data and applications that are stored elsewhere on a server.
This means that if a device is lost or stolen, the security risk is less, as sensitive information is not physically stored on on the device, but in the cloud. Still, a virtual desktop is only as secure as a user’s login authentication credentials. If a physician’s device is not encrypted or password protected, then any advantage to using a virtual desktop is severely reduced.
Similarly, while virtual desktops prevent data from being physically stored on a device, there are workarounds that can be used, such a manually taking screenshots of patient records accessed on the device and saving them.
Though virtual desktops offer certain distinct advantages, Poneman says many physicians are reluctant to adopt such solutions because they’re not entirely comfortable entrusting their patients’ data to a third party cloud server.
Furthermore, relying on a third party server means that network issues, such as increased loading times and connectivity issues, can inhibit the user experience. If the vendor’s servers go down, a practice may not be able to access patient data until the issue has been resolved.
“Physicians and nurses want to get things done,” Poneman explains. “If their access to the Internet or a database is slow-moving, that can be a problem.”
Finally, a virtual desktop solution tends to be more expensive than device encryption and MDM, generally costing between $100 and $300 every year per device, according to Ponemon.
But while there are more upfront costs associated with virtual desktop solutions, they can often end up paying for themselves by increasing network efficiency and reducing—if not eliminating—the need for internal IT support. Additionally, the level of security they offer is the most substantial of the three BYOD approaches discussed here.
Other BYOD Program Implementation Tips to Consider
Regardless of the BYOD program your practice decides to implement, there are a few essential tips for success that apply. Keep in mind, however, that the below approaches should not be viewed as an “either/or” decision—many practices implement multiple approaches that complement each other.
➔ Draft a cohesive BYOD policy. Before any BYOD approach is implemented, your practice should draft a clear and comprehensive policy that outlines what information administrators will be able to access on employee devices.
If a practice is implementing a MDM solution, for example, there should be a tiered security structure that gives the employer more control over the device depending on the level of access the user has to sensitive information.
Policies should also outline which devices employees can use, as not all solutions are device and operating system agnostic. Lastly, the BYOD policy should clearly inform users as to what they can do on their end to ensure the greatest level of security, and the policy should clearly outline what their responsibilities are in the event of a data breach or lost device.
➔ Keep all software up to date. Practices that are still using Windows XP, for example, are opening themselves up to a plethora of security breaches, as Microsoft discontinued support for the 13-year-old operating system in April 2013.
“If a system is still using Windows XP, it’s assumed to be a HIPAA breach,” Searfoss says. All operating systems, antivirus and encryption software and other applications, such as Adobe Acrobat or Microsoft Outlook, should ideally be set to update automatically or at regular intervals (e.g. once a week).
➔ Use qualified, in-house IT support. Just as you wouldn’t entrust a first-year medical student to perform open-heart surgery, physicians shouldn’t entrust the security of their patients’ information to unqualified IT support.
According to Searfoss, it’s not uncommon for smaller practices to place IT responsibilities on their non-medical support staff. But while your office manager may know how to install Adobe Acrobat on a physician’s laptop, he or she might not know the ins and outs of cyber security best practices.
If qualified, in-house IT support is not financially possible, then the practice should consider going to a healthcare consultancy firm that can help the practice find the most cost-effective IT solution on a limited budget.
Finally, Ponemon stresses the need for small and midsize practices to stay up to date with HIPAA regulations. “Medical practices can suffer a huge potential loss and probably most importantly, a loss of reputation, if they’re not managing their patients’ data in an effective manner,” he says.