BYOD in healthcare: Risks and physician concerns IT directors should be aware of

BYOD use cases

Here are some common use cases for BYOD in HCOs:

• Temporary contracts with specialists

  HCOs often work with contracted physicians for advanced cases, like heart surgeries. These contractors are likely to use personal devices to access EHR clients like Haiku, which IT has no control over after their contract ends. While the app prevents users from capturing screenshots, BYOD still presents security concerns. For instance, the physician could be taking pictures from their personal device and uploading them into Haiku.

• Development of rural and community care programs

  Larger HCOs form affiliations with community centers to provide underserved populations access to care. BYOD is common in these cases due to:

• Reduced hardware procurement costs.
• Less concern over device returns when contracts end.

A recent Gartner® report, When and How to Allow Mobile BYOD, is worth checking out for a breakdown of BYOD policies by ownership and cost.

Left to their own devices, BYOD can leave a gap in security

Consider a few facts about mobile devices:

• 1.4 million mobile phones were stolen across the US in 2023.
• 45% of breaches involve a mobile device.

Unfortunately, if PHI is on a personal device used for work and the device is lost or breached, it's the organization that's responsible. The HIPAA Security Rule from 2013 doesn't explicitly mention mobile devices. However, it mandates that covered entities conduct a Security Risk Assessment (SRA) to identify where ePHI is accessed or stored. In today's landscape, this means two approaches:

• Virtualization

  You can deliver a virtual image on users’ mobile devices. No data touches the user's device. Only pixels are transmitted back and forth. There are some downsides:

  • Users experience latency as the virtual device registers telemetry from the central servers.
  • Home care workers may not have stable internet connectivity in remote locations.
  • Ease of access has become a big deal for frontline workers, but virtualization systems can stall immediate access to critical data. Native apps and archived data on the device solve this.
• UEM

  Partitioning data on mobile devices plays a huge role in security. UEM offers BYOD containers that segment work apps from personal space. This means that the hospital IT will only have control over where the hospital data lives. It can even lock or delete the hospital data remotely while keeping the personal data intact. Refer to our case study to know more about how an HCO leveraged ManageEngine's UEM solutions to address healthcare use cases.

Tackling board-level concerns

For any HCO making a change to its BYOD governance, there's going to be backlash from people who don't want IT to have control over their devices, especially contract physicians. Moreover, BYOD governance must be outlined in a written policy and approved by the physician board before you can enforce it. The infrastructure section of the DHMW survey can act as a starting point while drafting BYOD policies. It recommends areas to consider when building BYOD governance, as outlined in the image below:

While building BYOD governance in your institution, having a privacy policy from your UEM vendor that clearly delineates what data and actions it has control over can alleviate your boards' concerns. To know more, see privacy settings for mobile device management policies.

You can also read more about how this Port Townsend-based community care streamlined their BYOD policies and made them operational with Endpoint Central in this case study.

You can also explore more resources relevant to BYOD management, that might be helpful in crafting your BYOD policies.

• Endpoint Central's offerings for healthcare and BYOD management
• Device privacy document for MDM
• Digital Health Most Wired Survey: Management Consideration for BYOD in the Infrastructure Segment

Looking to implement BYOD policies in your organization? Check out Endpoint Central’s 30-day free trial to see how you can set up policies for your organization.

Meet the author

Joyal

Joyal is an enterprise marketing lead at ManageEngine, focused on industry-specific go-to-market and GSI partnerships. He helps large enterprises find the right endpoint management and security solutions unique to their business drivers, compliance needs, and IT buying centers’ jobs-to-be-done.