https://www.vocera.com/uk/blog/7-tips-secure-byod-healthcare Skip to main content
  • Careers
  • 0800 652 8773
  • United States
    • United States
    • United Kingdom
    • Australia
    • New Zealand
    • Middle East
    • Canada
  • search
  • Customer Support
Logo Vocera
Menu
MenuMenuMenu
1.888.986.2372 Close Menu
  • About Vocera
    • Careers
    • Our Mission
    • Investors
    • Newsroom
    • COVID-19
    • Year Of The Nurse
    • Virtual Events
    • HIMSS 2021
  • Products
    • V5000 Smartbadge
      V5000
      Smartbadge
    • B3000N Badge
      B3000N
      Badge
    • Vocera Products
      Compare
      Vocera Products
    • Vocera Accessories
      Vocera
      Accessories
    • Vocera Platform
      Vocera
      Platform
    Vocera Enterprise Platform
    • Engage Intelligent Workflow
    • Analytics
    Compare Communication Devices
    • Smartbadge
    • Badge
    • Smartphones
    Mobile Applications
    • Vina
    • Collaboration Suite
  • Solutions
    • Family Communication
    • Staff Safety
    • Secure Text Messaging
    • Alarm Management
    • Integrations
    • Pager Replacement
    • Covid-19
  • Services
    • Customer Technical Support
    • Access Technical Support Portal (customers with active support contracts).

    • Professional Services
    • Experts to help with workflow enhancements and solution deployment.

    • Vocera University
    • Accelerate proficiency and performance with our customized courseware, in-person and self-guided training opportunities.

    • Accessories and E-Store
    • Order batteries, chargers, specially-designed lanyards and clips, headsets and more.

  • Industries
    • Healthcare
    • Veterans' Affairs Healthcare
    • Department of Defense Healthcare
    • Long-Term Care
    • Hospitality
    • Retail
    • Veterinary Care
    • Education
    • Energy
  • Resources
    • Case Studies
    • Data Sheets
    • Guides
    • Technical Documentation
    • Solution Briefs
    • Videos
    • Webinars
    • White Papers
    • Blog
    • Podcast
  • contact us
  • support portal
  • contact us
  • United States
    • United States
    • United Kingdom
    • Australia
    • New Zealand
  • search
Vocera Logo

525 Race Street San Jose, CA 95126 United States (888)-9VOCERA

  • Home
  • Blog
  • 7 Tips for Secure BYOD in Healthcare
    • All Topics
    • Enabling Safety and Quality Care
    • Saving Steps and Saving Time
    • Transforming
      the Experience
    • Enhancing Care
      with Technology

    7 Tips for Secure BYOD in Healthcare

    • by Ammath Keunemany
      <p><span>Information Security Manager for Products<span>, Vocera</span></span></p>

    Topics Covered:

    • Enhancing Care with Technology

    Share:

    • Twitter
    • Facebook
    • Linkedin
    • print
    November, 2017

    It’s So Easy to Infiltrate

    If endpoint security – especially for smartphones – wasn’t a top-of-mind issue for healthcare IT leaders before, it certainly is now. I’ve spoken with numerous customers who struggle with it and are asking for guidance.

    At HIMSS this year I attended the CHIME CIO Forum which included a presentation by Kevin Mitnick, a former black hat hacker. He went to prison for cybersecurity crimes several years ago and now runs a cybersecurity consulting firm that boasts a 100% success rate in penetrating his clients’ networks. The main way he is able to infiltrate his clients’ networks is through what is called “social engineering.” The audience was amazed at how easily he was able to get people to give up information that allowed him to penetrate electronic security layers and access any information he wanted.

    Healthcare Is Low-Hanging Fruit for Hackers

    Healthcare tends to lag some other industries (such as financial services and manufacturing) in terms of regulatory requirements affecting technology, IT security investment, sophistication of policies, and use of available tools for enforcing policies. At the same time, people’s health information can be worth thousands of times more than their financial information, according to one 2017 Forbes article.

    The consequences of a major breach can represent an existential threat to a health care provider’s business. I witnessed this personally several years ago when my local health clinic was broken into and all of their PCs were stolen. Unfortunately, those PCs contained the private medical records of over 100,000 patients in the care network they were part of. After the media frenzy, the care network lost nearly half its customers and was purchased for pennies on the dollar less than six months later.

    The Most Important Layer of Protection

    Countless articles have been published representing a wide variety of perspectives on effective ways to manage smartphones in healthcare facilities. Their focus is almost exclusively on IT policies and tools to enforce those policies. While policies are important, more can be done.

    I’ve attended some panel discussions on the subject of smartphones in healthcare that included experts in genomics, big data, provider and payer IT, and cybersecurity. I’ve come away with clarity on a few points:

    • There is no panacea. No single tool or policy is going to secure your environment.
    • It’s impossible to make your environment 100% secure. A really determined hacker is going to find a way in.
    • The most important layer of protection is often the most overlooked – your people!

     

    Questions to Ask Before Creating a BYOD Program

    Before you start to think about solutions for securing your smartphone environment, you need to ask some important questions:

    • Does everyone in your facility need to use a smartphone on your network?
    • What types of smartphones will you allow?
    • To what extent will smartphones be allowed to access certain parts of your data and infrastructure?
    • How will you ensure infection control with BYOD smartphones?
    • Will smartphones and their consumer-grade accessories tolerate your infection control protocols?
    • How will you maintain data security?
    • To what extent can you actually implement and enforce the policies you want to have?
    • Will your BYOD program have sufficient flexibility to address up-and-coming trends in mobility?

     

    Seven Tips for a Secure BYOD Program

    I’ve compiled recommendations for a secure BYOD program, in priority order:

    1. Communicate, communicate again, and when you think you’ve done enough, communicate more.

    Make sure your workers understand your policies, procedures, and tools with respect to BYOD smartphones and security. Verbal and written communication are equally important.

    2. Reduce risk by educating users.

    Education and awareness are the best defenses around! To paraphrase Bridget Duffy M.D., Chief Medical Officer at Vocera, “There are no HIPAA-compliant devices or processes. There are only HIPAA-compliant people.” One of the best ways you can improve cybersecurity is to build awareness with your users about why behaviors they see as perfectly normal can pose a risk to the facility. It’s doubtful that your workers have malicious intentions, so if you educate them and make them aware of the risks to which they expose the facility through what they consider normal everyday behaviors, you have tackled a large part of the problem.

    3. Make policies clear and impossible for workers to ignore.

    Key elements to include in a BYOD policy:

          • Administrators have the right to remotely wipe the device and destroy all data, at any time, for any reason.
          • End users must report the loss or theft of a device as soon as possible so it can be wiped remotely.
          • Administrators have the right to seize an employee’s device used on the organization’s network at any time and for any reason.
          • The organization has immunity to legal action by a user if the organization sees the user’s private information in the course of a security assessment or other investigation involving his or her device.
          • Maintain liability insurance that covers smartphone misuse, abuse, and hacking.

    Your workers might find the policy elements regarding device seizure and legal protection a little harsh, but stringent policy elements like these are the bedrock of a good endpoint security strategy. Post your organization’s BYOD policy anywhere and everywhere. Periodically remind users of it and have managers remind their teams periodically during staff meetings. Consider including BYOD policy as an element of HIPAA training to which workers must agree. Make sure every worker is acutely aware of your policies.

    4. Require biometric authentication via fingerprint.

    Every iPhone since the iPhone 5s launch in late 2013 allows users to log into the phone through a fingerprint scan on the home screen button, and the new iPhone X does it with facial recognition. The feature is now available on many Android phones as well.

    Although fingerprint authorization might not prevent passive intrusion through a device into the organization’s network, it may help prevent unauthorized use of a device while it’s on the company network. It can also prevent someone in possession of a lost or stolen device from accessing your network during the interval before the device is reported missing and remotely wiped.

    You can also set up your IT infrastructure to only allow smartphones with fingerprint identification onto the network. This would likely require a mobile device management (MDM) solution if you don’t already have a solution in place that can accommodate fingerprint identification. Give users advance warning of the new requirement so they can plan to upgrade from phones that lack fingerprint readers.

    5. Standardize on secure applications.

    No matter what policies you establish, your workers are going to use smartphones to call and text each other. Those communications are going to include personal health information (PHI).

    In her 2017 CNO Report, The Visionary CNO – It’s More Than a Mobile Strategy, It’s a Change to Clinical Practice, Vocera CNO Rhonda Collins explains how the aim of mobile strategy is to standardize behavior; and to standardize behavior, a healthcare organization standardizes software.

    When you standardize software, make it secure software. At Vocera, we’re proud to call the security of our solutions “defense-grade.” The security credentials we’ve earned from the U.S. Army, Department of Defense, and American Institute of Certified Public Accountants are unsurpassed.

    The Vocera Collaboration Suite app integrates voice and secure texting, and provides secure and auditable delivery and response reporting for alerts and texts. We received a favorable SOC 2 Type II report for our secure texting application. All Vocera solutions are validated by a third party.

    6. Allow single sign-on.

    Enabling users to authenticate to individual applications simply by unlocking their smartphones will make their lives simpler and easier. Although some MDM solutions enable this capability, before you go this route take a look at whether you can allow single sign-on via the Active Directory you may already have.

    7. Blacklist containers and personally-owned applications.

    If you have an MDM solution or enterprise mobility management (EMM) solution, you may be able to prevent certain smartphone apps from using your network.

    Similarly, putting your professional environment or selected applications in what’s called a “container” may secure them, but it places a noticeable performance burden on the smartphone and can require end users to swap between their personal and professional environments.

    If you blacklist containers and personal applications, expect significant pushback from end users, especially physicians. Your end users will want to be able to mix their personal and professional lives on their smartphones.

    Conclusion

    Kevin Mitnick was clear with the CHIME audience about what your goal should be when it comes to end-user and endpoint security. The goal is not to be 100% secure because it’s not achievable. The goal is to be sufficiently secure that hackers will go after less secure companies.

    Mitnick’s guidance reminds me of the story of two people in the woods who encounter an angry bear. They both start running and one says to the other, “You think you can outrun a bear?” and the other says back, “I don’t need to outrun the bear, I just need to outrun you!”

    In other words, don’t be the low-hanging fruit and you won’t get eaten.

    Share:

    • Twitter
    • Facebook
    • Linkedin
    • print

    Most Recent

    Recommended

    • NHIT Week 2019: Creating Healthy Communities with Technology

    • Celebrating Star Trek and the Next Frontier of Voice Communication in Healthcare

    • Employing the Power of AI and Interoperability to Reduce Sepsis Mortality

    • What Hospitals Can Learn about Incident Detection from the Notre Dame Disaster

    • Using Technology to Help Prevent Falls in the Hospital

    • Hospital Secure Messaging: 7 Lessons Learned

    • Three Tips for Reducing Sepsis Risk

    • Halifax Health: Better Communication for Better Patient Care

    Most Recent Related Stories

    NHIT Week 2019

    NHIT Week 2019: Creating Healthy Communities with Technology

    Celebrating Star Trek

    Celebrating Star Trek and the Next Frontier of Voice Communi...

    Beyond the Electronic Health Record: Human-Centered Design to Reduce Clinicians’ Cognitive Burden

    Beyond the Electronic Health Record: Human-Centered Design t...

    Stay Connected
    100 Longwater Avenue
    Green Park
    Reading, Berkshire
    RG2 6GP
    United Kingdom

    0800 652 8773

    ABOUT US
    • Home
    • Year Of The Nurse
    • Empower Heroes
    • Customer Advocacy
    • Locations
    • Patient Privacy
    • Partners
    • Social and Environmental Responsibility
    • Supply Chain Transparency
    • Ethics Hotline
    Careers
    News & Events
    • Press Releases
    • News and Research
    • Events
    • Virtual Events
    • Gartner Reports
    Resource Center
    • Blog
    • Case Studies
    • Data Sheets
    • Guides
    • Podcast
    • Solution Briefs
    • Videos
    • Webinars
    • White Papers
    PRESS RELEASES
    BLOGS
    PODCAST
     
    © Copyright 2019 Vocera Communications. All Rights Reserved.
    Privacy - Legal - Site Map