Healthcare tends to lag some other industries (such as financial services and manufacturing) in terms of regulatory requirements affecting technology, IT security investment, sophistication of policies, and use of available tools for enforcing policies. At the same time, people’s health information can be worth thousands of times more than their financial information, according to one 2017 Forbes article.
In healthcare, use of personal devices can introduce points of vulnerability where hackers can infiltrate, potentially putting PHI at risk. IT teams work to mitigate the risk and ensure HIPAA compliance through secure BYOD programs.
I’ve compiled recommendations for a secure BYOD program, in priority order:
1.Communicate, communicate again, and when you think you’ve done enough, communicate more.
Make sure your workers understand your policies, procedures, and tools with respect to BYOD smartphones and security. Verbal and written communication are equally important.
2. Reduce risk by educating users.
Education and awareness are the best defenses around! To paraphrase Bridget Duffy M.D., Chief Medical Officer at Vocera, “There are no HIPAA-compliant devices or processes. There are only HIPAA-compliant people.” One of the best ways you can improve cybersecurity is to build awareness with your users about why behaviors they see as perfectly normal can pose a risk to the facility.
3.Make policies clear and impossible for workers to ignore.
Key elements to include in a BYOD policy:
4. Require biometric authentication via fingerprint.
Every iPhone since the iPhone 5s launch in late 2013 allows users to log into the phone through a fingerprint scan on the home screen button, and the new iPhone X does it with facial recognition. The feature is now available on many Android phones as well.
Although fingerprint authorization might not prevent passive intrusion through a device into the organization’s network, it may help prevent unauthorized use of a device while it’s on the company network. It can also prevent someone in possession of a lost or stolen device from accessing your network during the interval before the device is reported missing and remotely wiped.
5. Standardize on secure applications.
In her 2017 CNO Report, The Visionary CNO – It’s More Than a Mobile Strategy, It’s a Change to Clinical Practice, Vocera CNO Rhonda Collins explains how the aim of mobile strategy is to standardize behavior; and to standardize behavior, a healthcare organization standardizes software.
When you standardize software, make it secure software. At Vocera, we’re proud to call the security of our solutions “defense-grade.” The security credentials we’ve earned from the U.S. Army, Department of Defense, and American Institute of Certified Public Accountants are unsurpassed.
6. Allow single sign-on.
Enabling users to authenticate to individual applications simply by unlocking their smartphones will make their lives simpler and easier. Although some MDM solutions enable this capability, before you go this route take a look at whether you can allow single sign-on via the Active Directory you may already have.
7. Blacklist containers and personally-owned applications.
If you have an MDM solution or enterprise mobility management (EMM) solution, you may be able to prevent certain smartphone apps from using your network.
Similarly, putting your professional environment or selected applications in what’s called a “container” may secure them, but it places a noticeable performance burden on the smartphone and can require end users to swap between their personal and professional environments.
Healthcare can be low-hanging fruit for hackers. With effective communication, education, policies, and technologies within a secure BYOD program, you can avoid being eaten.