Bring Your Own Device Programs and Health Care: Too Risky to Work?
Recent workplace surveys report that as many as 87% of employees use personal electronic devices for work, raising compliance, data loss, and security risks for their employers. As a result, designing a workable “bring-your-own-device” (BYOD) program is probably overdue.
The immediate reaction of a health care organization is to ban the practice rather than risk compliance problems. BYOD is a tricky issue, without question, but it’s important to consider the realities of the situation rather than getting tied up in an unrealistic policy: 48% of companies claim they would never authorize employees to use personal devices for work, but 57% acknowledge that employees do it anyway. The wave of mobile devices has already flooded your offices. It’s time to figure out what to do about it.
Even if you permit BYOD only in limited circumstances, it’s still important to lay the ground rules that will help maximize compliance and minimize risk. We can cover only a few key considerations in this article, but here are some of the major issues.
Information Security and Compliance
HIPAA compliance will be the first concern of any health care organization implementing BYOD, and rightly so. HIPAA is heavy on policy and security requirements, so unless PHI will not be accessed or stored using personal devices, then at least part of that compliance program will need to be revisited. The risk of a reportable security breach also may increase, although that risk is likely already present based on the substantial percentages of employees admitting that they use their own device for work regardless of employer restrictions. Enterprise-managed BYOD may improve the odds by providing malware protection, better access controls, remote wiping, and transmission security.
If you enable BYOD, social media use may go up, but temper your zeal to prohibit or monitor that use. In recent years, employers have been repeatedly dinged by the National Labor Relations Board for overly broad social media policies, were found liable for accessing employees’ social media communication in unauthorized ways, and scaled back reviews of social network sites due to Fair Credit Reporting Act liability. Employers should revisit their social media policies to make sure they are not already running afoul of this rapidly evolving list of pitfalls. You can read more about any of these issues in publications available on our website.
Like it or not, employees have some privacy rights not impacted by your warnings that they have no expectation of privacy when using your equipment. Although you can revise applicable policies for BYOD, your employee owns the device and is clearly entitled to make personal use of it. Similarly, that device essentially tracks their whereabouts 24/7 and reflects all manner of activities, such as websites visited, items purchased, books read, games played, photos taken, apps used, and calls and messages sent and received. Your organization must decide the extent to which it needs to know such information and plan accordingly.
e-Discovery and Departing Employees
Inevitably, if employees store work-related information locally, device retrieval may be necessary in legal discovery or when an employee leaves the company. For litigation, strict protocols providing for immediate preservation before employees modify or delete files are crucial. BYOD will add expense and delay to discovery and to the employee-departure process.
Building an Effective BYOD Program
Last, support your security and policy framework with training, reminders, and program reviews to help employees remember the requirements and to help your organization establish legal compliance.