Security News

How to Secure an Evolving HIT, BYOD Mobile Infrastructure

Healthcare organizations are implementing BYOD solutions but may face challenged when expanding mobile security policies.

Source: Thinkstock

By Elizabeth O'Dowd

- Healthcare organizations have been exploring bring-your-own-device (BYOD) deployments in health IT infrastructure over the past several years, but many organizations have been hung up on challenges presented by security concerns of employees using their personal devices to access secure information.

The healthcare industry presents different challenges than other industries when it comes to BYOD, which is why many organizations hesitate to include BYOD practices in their health IT infrastructure.

Accessing healthcare and personal information on the same device is a major security concern for IT departments, especially when employees are able to access applications and login portals from their personal devices without alerting IT. Unauthorized BYOD is a concern for all industries, but healthcare organizations can potentially face heavy fines if employees are compromising data by viewing it on an unauthorized device.

In addition to potential HIPAA violations, unauthorized BYOD also puts healthcare networks at risk for malware. IT departments are unable to protect devices that are accessing cloud applications and data through personal devices if they are unaware the devices are being used in the first place.

If employees cannot find a convenient way to access securely access the data needed to perform their jobs, they will find another, less secure way to do so.

Forrester Research points to user demand for technology that is equal to or better than personal technology as a challenge for many enterprises.

Organizations must choose between supplying better technology for their employees so they are not tempted to use unauthorized personal devices to access secure data, or implementing a secure BYOD solution to protect data accessed on personal devices.

Forrester researchers suggest organizations learn which departments and employees are accessing which information and what tools they are using to access the network. BYOD security controls need to be applied based on the situation rather than encompassing an entire network on how certain information is accessed. A one size fits all approach to BYOD security cannot succeed, especially in a healthcare setting because it will limit users desire from BYOD in the first place.

The report suggests that organizations need to expand BYOD use cases to accommodate more employees who are more likely to use their personal devices to access the secure network. This can be done by building more apps and connections for BYOD initiatives.

Report authors also suggest that organizations roll out BYOD initiatives by department or security clearance level. Organizations may want to deploy BYOD solutions for employees accessing less sensitive information to see how the workflow improves before rolling it out to other departments or clearance levels.

Each department, or group of BYOD users, requires a different set of controls depending on the data it is accessing. Healthcare organizations accessing EHRs and PHI will need a much more thorough BYOD solution to comply with HIPAA.

Many organizations can also fall victim to common mistakes when expanding their BYOD solution. IT departments can easily spread themselves too thin when it comes to covering all device types and operating systems (OS). Users access the network using smartphones, laptops, and tablets all running various OSes. All devices need to be considered and covered under a BYOD policy. Some organizations choose to limit users to certain devices and OSes, while others tackle the issue head on and build their BYOD strategy around all devices and OS types.

Organizations also need to be conscious of user feedback. The purpose of BYOD is to make it easier for users to access data securely. If the solution becomes too complicated or inconvenient, users will look for alternative ways to access the data, which could put it at risk.

Features such as single sign-on will help streamline user experience, eliminating the need for users to login to each corporate app every time it’s opened. 

The last and most important thing organizations need to understand is the exact mobile requirements of the workforce. Organizations may exile a certain OS because they fear the potential risk of securing two different environments.

Entities need to know which devices and OSes are being used and to what degree. If an organization chooses to only support iOS without knowing how many employees use Android, they could potentially encourage an unknown number of Android users to seek shadow IT alternatives to access secure data.

Healthcare organizations are becoming more mobile, and IT departments need to secure mobile devices without hindering device usability.