Wooden blocks spelling BYOD, or Bring Your Own Device

Healthcare organizations of all sizes allow employees to use their personal devices, such as smartphones, to access protected health information (PHI). This is often called “bring your own device” (BYOD). Using personal devices at work is quick and convenient. However, if handled improperly, personal devices can be a security threat.

Below are some of the security issues that you must address if your organization has, or plans to have, a BYOD policy.

  • Encryption. Although it’s simple and inexpensive to encrypt devices, most BYOD devices are not encrypted, probably because they aren’t viewed as work devices. Nevertheless, personal devices should be encrypted before accessing PHI.
  • Loss or theft of a device. Most BYOD devices – such as laptops, tablets, and cellphones – are mobile and can be easily misplaced or stolen. Make sure your organization has policies in place for reporting lost or stolen devices.
  • Unauthorized access or viewing. When working on a personal device away from the office, it’s hard to keep others from seeing the screen. HIPAA requires you to limit PHI access to only those who need it to perform their job. Therefore, employees using a personal device shouldn’t access PHI in areas where someone may see the screen.
  • Public Wi-Fi. Free or public Wi-Fi is not secure and could put your PHI at risk. Tell employees to only access PHI on secure networks.

Steps to Secure Personal Devices

Mobile devices could be helpful to your team’s workflow, or they could pose a serious security threat. Take these steps to secure BYOD devices:

  1. Have the IT team inspect each device before allowing it to access PHI. They will make sure the device follows the same security protocols as the organization-owned devices.
  2. Train employees on BYOD policies and procedures before allowing them to use the device to access or send PHI.
  3. Include BYOD devices on your inventories and risk assessments.
  4. Make sure you know how to safely reuse a device once an employee is no longer using it for work.

See this article about accounting for mobile devices, reusing them, and disposing of them.

The HIPAAtrek platform is designed to house your organization’s policies and procedures, including BYOD policies, to help keep you HIPAA compliant. Request a demo or contact us with questions about your HIPAA compliance program.