I just finished reading a website discussion of the pro’s and con’s of Bring Your Own Device (BYOD) programs in healthcare. It doesn’t really matter which particular article I was reading, since there are literally thousands on the topic. While I’m always hoping for a fresh perspective, most writers tend to line up on one side or the other of the issue, pro or con BYOD.
What makes for a good article on the “controversy” doesn’t, however, make for good HIT policy. It should be obvious that you can botch either option, either in policy or practice. A “no BYOD” policy that’s ignored by users is as bad as a flawed BYOD policy that includes no safeguards on ePHI. If the goal is to protect ePHI — or even just to comply with HIPAA — then focusing on BYOD alone kind of misses the point.
Those of us in IT ought to listen to the clinical voices in our organizations that are focusing on best practices, as measured by the clinical outcomes they achieve. In that context, the question isn’t whether to BYOD or not BYOD, it’s how to avoid the slings and arrows of data breaches, overwhelmed support, frustrated users and regulatory penalties. That is the question.
If we do start by looking at the evidence, its fairly clear that with mobile devices in healthcare, the primary risk is an unencrypted device. Today most of these data breaches are unencrypted mobile devices, chiefly laptops. With the explosion in popularity of tablets and smartphones, healthcare software firms are churning out more products targeting these devices for access to EHR and other ePHI data. From an IT security perspective, I’d much rather have all users on encrypted mobiled devices, no matter who owns them.
Of course, there are many, many more capabilities that a robust mobile device management (MDM) software package will provide. It is important that the device be un-rooted, up-to-date on security packages, password enabled, and protected from other security threats.
Remote wiping of devices is probably the most frequently deployed feature of MDM suites. But remote wiping may be counter-productive. Users may wait to be certain their device is lost and not just misplaced, knowing that IT will immediately wipe their device, making the user reinstall from scratch if the device turns up. Better to have a password protected and encrypted device that will be lost, but not likely to result in a data breach.
From this perspective, the question isn’t to BYOD or Not to BYOD. Instead, start with How do we secure data and mobile devices? Some particular recipe of encryption, MDM, and virtualization are the likely answers. These are the things which objectively will protect data best. Only after you’ve answered these questions should you turn to whether and how to answer the BYOD question.
Failing the effort at those discussions, I’ll reiterate my current catchphrase: Just Encrypt IT!