Healthcare organizations (HCOs) increasingly rely on BYOD to support contracted specialists and expand care to underserved areas. While this approach reduces costs and simplifies operations, it also raises critical security concerns. From safeguarding patient data to managing device access, BYOD requires careful planning to ensure both flexibility and compliance.
HCOs often work with contracted physicians for advanced cases, like heart surgeries. These contractors are likely to use personal devices to access EHR clients like Haiku, which IT has no control over after their contract ends. While the app prevents users from capturing screenshots, BYOD still presents security concerns. For instance, the physician could be taking pictures from their personal device and uploading them into Haiku.
Larger HCOs form affiliations with community centers to provide underserved populations access to care. BYOD is common in these cases due to:
A recent Gartner® report, When and How to Allow Mobile BYOD, is worth checking out for a breakdown of BYOD policies by ownership and cost.
Unfortunately, if PHI is on a personal device used for work and the device is lost or breached, it's the organization that's responsible. The HIPAA Security Rule from 2013 doesn't explicitly mention mobile devices. However, it mandates that covered entities conduct a Security Risk Assessment (SRA) to identify where ePHI is accessed or stored. In today's landscape, this means two approaches:
You can deliver a virtual image on users’ mobile devices. No data touches the user's device. Only pixels are transmitted back and forth. There are some downsides:
Partitioning data on mobile devices plays a huge role in security. UEM offers BYOD containers that segment work apps from personal space. This means that the hospital IT will only have control over where the hospital data lives. It can even lock or delete the hospital data remotely while keeping the personal data intact. Refer to our case study to know more about how an HCO leveraged ManageEngine's UEM solutions to address healthcare use cases.
For any HCO making a change to its BYOD governance, there's going to be backlash from people who don't want IT to have control over their devices, especially contract physicians. Moreover, BYOD governance must be outlined in a written policy and approved by the physician board before you can enforce it. The infrastructure section of the DHMW survey can act as a starting point while drafting BYOD policies. It recommends areas to consider when building BYOD governance, as outlined in the image below:
While building BYOD governance in your institution, having a privacy policy from your UEM vendor that clearly delineates what data and actions it has control over can alleviate your boards' concerns. To know more, see privacy settings for mobile device management policies.