BYOD: cool but dangerous – 3 HIPAA Security Rule challenges, 7 key precautions

Mobile Medical

Health Systems Alert


From reliable surveys and less dependable anecdotes, opinions point to the almost inevitable expansion of BYOD – bring your own device – as a cost-saving model for employers.

Advisors assure company decision makers that direct savings will flow by avoiding the cost of purchasing handsets and absorbing service plan fees. Finance managers concur that the proposed numbers look good. And employees simply want to be able to pick their own device and avoid the hassle of carrying two. There are particular lures for health organizations: not least, a quick search of a major app store presents thousands of apps dedicated to the health space, both for consumer engagement and for direct activity within the healthcare setting.

However, often overlooked is that a company’s election to adopt BYOD for mobile phones and tablets (as an example) brings along myriad complex risks, ranging from information security and regulatory compliance to employee privacy concerns.

Company policies and procedures must address these risks. This article will briefly survey risks from the US healthcare perspective when companies choose to adopt a BYOD policy, and will conclude with guidance that should assist healthcare organizations to comply with their HIPAA obligations.

HIPAA Security Rule compliance: 3 challenges

The first category of challenges presented may be described as control. Control over various operating systems, control over varying levels of configuration, control over device security and control over transmissions outside the firewall. The most basic aspect of the control problem is that while the Apple iOS is consistent across Apple hardware, the Android operating system is typically modified to suit the needs of the diverse hardware and the preferences of the OEM. Administering control over such a varied environment is vastly more complicated, and thus expensive, even if “only” internal costs.

This control challenge is exacerbated because individuals are accustomed to installing whichever apps they wish and using the cloud backup service they like. These activities necessarily evolve into BYOA (as in apps) and BYOC (Bring Your Own Cloud). Contrary to company-issued devices, such as laptops, that the IT team can lock down with administrative privileges, the BYOD ecosystem is a relatively open one with new, unknown and hence untrusted apps being installed. BYOC and Peer2Peer apps mean that uncontrolled company data and files can end up being stored outside the organization’s firewall.

The next category raises the specter of the organization's data handling no longer being in compliance with applicable regulations. In the US, as elsewhere, companies in certain industry sectors face particular compliance requirements. Life sciences firms must maintain electronic files in accordance with strict GxP (Good Clinical Practices, Good Manufacturing and so on). Health providers and financial service firms must comply with their own set of security and privacy (data protection) regimes.

But, given the diverse hardware and operating system ecosystem that IT must manage simply for hand-held devices, securing basic information, let alone regulated data, is more difficult than with a narrower set of company-dictated devices. And beyond the desire to protect company data, security events involving regulated data typically involve external costs in the form of legal fees, advisor costs and fines.

The third grouping of issues relate to the privacy of the employee’s personal data and the extent of autonomy over what each individual not incorrectly views as “my device.” My device means I can BYOA and BYOC and control fully who can access what information is on my device. However, this employee presumption of ownership (correct) and full control (not so much) can lead to conflict when files must be pulled from the device in the litigation discovery context or when the device has been lost and company policy requires a remote wiping of all data.

How do you want to mitigate the risks? Key elements of a BYOD program under the Security Rule

The issues confronting HIPAA covered entities and business associates under the Security Rule are largely similar to those discussed above. The key for management is to determine in advance of a BYOD program how the company wishes to mitigate the risks that it identifies.

Among the key elements of a BYOD program are the following:

1. Scope of participation: Depending on the nature of the data handled by the organization, it may not make sense for all employees to be able to participate in the BYOD program. For example, those employees with access to particularly sensitive data or regulated data may be required to use a company-controlled device for company communications. Depending on the employment laws of each country, it may be easier or more difficult to mark these delineations. And often some of those employees pushing the hardest to select and use their own devices are within senior management.

2. Range of devices: Because of the multiplicity of hardware and o/s combinations (especially on Android platforms), it can often make sense to designate particular products as being supported and eliminating others. While this, like narrowing the scope of participation, may result in some grumbling, the resulting reduction in complexity for support and security purposes can save on the IT learning curve and operational costs.

3. Consent to employer access: This marks a particular challenge across jurisdictions, as many national data protection rules discount the validity of consent from an employee, arguing that consent cannot truly be provided freely. In the US, the consent hurdle is more easily overcome but remains important, given that when the company owns neither the device nor the account through which service is provided it is significantly more difficult to obtain access to the device for discovery purposes.

4. Security rules: Essential to any BYOD program, regardless of other choices, is the inclusion of security requirements. Several mobile device management (MDM) tools exist. These facilitate the security of certain user profiles on the device, create a “locker” of sorts for the secure storage of work related data and files, handle encryption keys between the device and the company’s network, enhance the strength of user passwords on the device and enable remote wiping of either the work related files or the entire device in the event of loss.

5. Departing employees: For the time when a BYOD-participating employee leaves the company, regardless of circumstances, it is important for the organization to have a process or exit interview that includes removal of company data from the device. While work files such as email attachments will be more easily separated, distinguishing between company contacts and the employee’s contacts can be difficult, especially when the employee was responsible for developing and maintaining external relationships on behalf of the firm.

6. Compensation: Finally, companies will typically reimburse employees in a BYOD program in some manner, often through a monthly supplement to counter the cost of the wireless service plan. The amount of reimbursement, whether it is available to all BYOD participants, whether local employment or data protection law implications arise from the reimbursement are all considerations.

For more information about creating compliant policies, please contact Peter McLaughlin.