Security News

Impact of Consumerization of IT, BYOD on Healthcare IT

The consumerization of IT and BYOD play a large role in employee productivity and patient engagement, but present major risks to network security if policies are not in place.

By Elizabeth O'Dowd

- The consumerization of IT movement encourages healthcare organizations to embrace technology used by clinicians and patients in their personal lives to access the secure healthcare network. Lifestyle changes over the past decade have driven end users to use their personal devices for business with or without the approval of IT. 

Healthcare consumerization of IT, BYOD

The use of personal devices in the workplace has always been a point of contention for CIOs and other IT decision-makers because of the risks involved with allowing a number of devices constantly downloading and updating untrusted third party apps, access to the same secure network holding protected health information (PHI). IT departments do not know if these devices contain malware because they do not have control over how the employee uses their personal device.

On one hand, allowing the use of personal devices means an organization’s IT infrastructure needs a serious examination to be sure it’s secure enough to protect the network from devices it has very limited control over. On the other hand, denying the use of personal devices doesn’t guarantee employees won’t use them regardless, bringing the threat of shadow IT.

The consumerization of IT movement sparked the use of personal mobile devices in the workplace because consumer technology began to surpass corporate supplied technology.

In his book Enterprise Mobility Management, author Jack Madden cites the release of the first iPhone in 2007 as the beginning of the consumerization of IT movement. Until the iPhone was released, most businesses used BlackBerrys and PDAs to conduct business mobily. The iPhone was intended for consumers, however users began to discover the iPhone could be used to make day to day business operations more efficient and consumer devices became more effective than technology provided by organizations.

READ MORE: Healthcare BYOD Security Embraces Cloud, Biometric Authentication

The consumerization of IT goes beyond devices and extends to applications as well. Users not provided with technology comparable with what is used for personal data, may implement an app such as DropBox, to access and share corporate data without permission.

Most users do not realize the security risk using unauthorized technology brings to the network and IT departments are not always aware of this activity. Using third party apps to access corporate data is known as shadow IT.

The threat of unsecure devices and shadow IT solutions accessing the network prompts organizations to weigh the benefits of personal device usage against the security risks infrastructure upgrades need to accommodate them.

Every organization needs a policy that addresses personal device usage. Organizations can accept personal device usage and implement BYOD and security policies, or deny personal device usage and supply employees with alternative technology that functions similarly.

The biggest priority organizations have when new technology is used to access corporate data is protecting the network. While this is important for every industry, healthcare has HIPAA compliance and restrictions on PHI which factor heavily in healthcare organizations making decisions regarding personal mobile devices.

READ MORE: Ruckus Expands Network Security with VMware, Lightspeed Systems

Organizations choosing to deny employees permission to use personal devices to access secure data need to provide an alternative option. Employees have expressed desire to use personal mobile devices to improve productivity and will continue to do so unless they are provided comparable corporate devices.

Corporate-owned devices are a good alternative to BYOD because they give organizations complete control over the device without following personal privacy requirements of BYOD solutions. However, corporate devices may not be received well by users who do not want to carry more than one device. Depending on the size of an organization purchasing smartphones for each employee can expend the IT budget.

Approving the use of personal devices is a massive undertaking for any IT infrastructure and IT decision-makers are charged with determining the method or methods of protection that fit their organization best. Enterprise mobility management solutions, advanced VPN technology, developing custom employee applications using container technology, or looking into newer BYOD alternatives like virtual mobile infrastructure (VMI) are several options for securing remote access to the network.

The combination of employee and patient devices seeking to connect to an organization's wireless network is much higher after the deployment of mobile strategies, which strains the bandwidth, potentially slowing down operations. Guest network access also needs to be upgraded if patient devices will be exchanging protected health information using the guest network.

For healthcare organizations, the personal device use does not end with clinicians and other healthcare employees, but extends to patients as well. The consumerization of IT has played a large part in improving patient experience and quality of care by taking advantage of the technology already at the patient’s disposal.

READ MORE: BYOD Policies Challenge Health IT Infrastructure, Data Security

According to mHealthIntelligence.com, “the healthcare space is taking part in adopting BYOD programs with doctors and nurses communicating with specialists and their patient community through smart phones, text messaging, and other personal mobile devices.”

Patient owned devices such as smartphones and wearables are capable of performing the same, or even better than hospital issued monitoring devices and are often more cost effective for the patient and the healthcare provider. mHealthIntelligence.com attributes patients using their own devices as a large contributer to patient engagement stating “an engaged consumer will be more responsive to care management, especially after the visit to the hospital, clinic, or doctor’s office (and that can either be in person or virtually).”

While upgrading aspects of an organization's infrastructure is necessary, the first line of defence against unauthorized device use and shadow IT is employee education. Most users do not intentionally put secure data at risk and are not aware of the implications of using such technology to connect to the network. When users understand the risks, the threat of a data breach goes down considerably.

With each new device release, the demand to use new devices for corporate purposes will continue, making the consumerization of IT something IT departments need to be constantly aware of.

Each organization’s unique situation has a correct responsive approach to the consumerization of IT. Considering all the aspects of the IT infrastructure affected by this movement, it’s not a small task, but it is necessary to protect the network from outside threats.

Dig Deeper: