BYOD or “bring your own device” policies have become widespread in U.S. hospitals. According to a recent Spok survey, 71% of healthcare facilities nationwide now allow doctors and other caregivers to exchange sensitive medical information through their personal mobile devices. There are still big variations, however, in how individual institutions deal with the risks to data security and HIPAA compliance that BYOD poses.
Integrating BYOD requires hospital administrators to cover multiple human, technical and legal bases. If you’re about to undertake the process, here are 5 key questions to remember and ask your technology vendor and your internal IT department.
- Do we really need to develop our own cloud-based application to store confidential patient information?
Hospitals using BYOD generally put all sensitive patient data on a secure cloud-based server, and implement an mHealth app that provides caregivers with secure access to the EHRs and other information they need. Among other things, this approach insures that when a staff member leaves the hospital, none of the patient information goes with them on their personal mobile device. But having the hospital’s internal IT department build this type of solution can devour huge amounts of development time. Is an “off the shelf” application a better choice? If so, which of the thousands of “mHealth” applications in the market is the most cost effective and manageable?
- Who will train our IT staff to make sure each individual user will see only the data they need to see?
Carefully segmenting data access can insure that each nurse, physician or other caregiver only has access to the medical information on their patients. But it requires granular control over the network by the IT department. It’s important to ask any application or platform vender if they will provide training to show your internal administrators how to configure each individual account. Without it, your IT department can face a long learning curve.
- Exactly what policies will caregivers be required to agree to in order to use personal devices in clinical work?
BYOD users are typically required to use approved, strong passwords to log on to a hospital system. But there are other key user/employee requirements you should discuss with your IT and legal directors:
- Agreeing to synch each personal device with IT and allow it to be wiped if it is damaged, lost or stolen.
- Agreeing to turn over the smartphone or other device to the hospital if a security investigation is taking place.
- If the hospital sees the user’s private information during a security check, agreeing not undertake a lawsuit against the hospital.
- Using a pin lock on any personal device used in the hospital.
- Downloading to the personal device only medical apps approved by the hospital IT department.
- Do we need to outsource intrusion detection?
Intrusion detection is needed to detect any traffic to the hospital system that’s deemed non-legitimate or unrecognized, and to shut out attacks from well-known intruders. But the constant vigilance required for this job, given the ongoing rise of new intruders, has prompted more and more hospitals to outsource database, network, application and system monitoring. With medical data theft growing rapidly, many hospitals have decided that manual auditing by the IT department is no longer adequate.
- Do we have enough liability protection to cover possible HIPAA violations?
The HITECH Act has allowed for strict penalties for HIPAA infractions by both state and federal agencies. In most cases, the maximum fine can be up to $50,000 per violation with a $1.5 million limit in penalties per year. Traditional hospital D&O and E&O policies do not always cover the full range of digital liabilities that can arise from a BYOD system. It’s important to review the hospital’s coverage carefully with your insurers and to ask if coverage extends to hospital subcontractors.