August 31, 2014

Advertisement

August 29, 2014

August 28, 2014

Bring Your Own Device Programs and Health Care: Too Risky to Work?

Recent workplace surveys report that as many as 87% of employees use personal electronic devices for work, raising compliance, data loss, and security risks for their employers. As a result, designing a workable “bring-your-own-device” (BYOD) program is probably overdue.

The immediate reaction of a health care organization is to ban the practice rather than risk compliance problems.  BYOD is a tricky issue, without question, but it’s important to consider the realities of the situation rather than getting tied up in an unrealistic policy: 48% of companies claim they would never authorize employees to use personal devices for work, but 57% acknowledge that employees do it anyway. The wave of mobile devices has already flooded your offices. It’s time to figure out what to do about it.

Even if you permit BYOD only in limited circumstances, it’s still important to lay the ground rules that will help maximize compliance and minimize risk. We can cover only a few key considerations in this article, but here are some of the major issues.

Information Security and Compliance

HIPAA compliance will be the first concern of any health care organization implementing BYOD, and rightly so. HIPAA is heavy on policy and security requirements, so unless PHI will not be accessed or stored using personal devices, then at least part of that compliance program will need to be revisited.  The risk of a reportable security breach also may increase, although that risk is likely already present based on the substantial percentages of employees admitting that they use their own device for work regardless of employer restrictions. Enterprise-managed BYOD may improve the odds by providing malware protection, better access controls, remote wiping, and transmission security.

Social Media

If you enable BYOD, social media use may go up, but temper your zeal to prohibit or monitor that use. In recent years, employers have been repeatedly dinged by the National Labor Relations Board for overly broad social media policies, were found liable for accessing employees’ social media communication in unauthorized ways, and scaled back reviews of social network sites due to Fair Credit Reporting Act liability. Employers should revisit their social media policies to make sure they are not already running afoul of this rapidly evolving list of pitfalls. You can read more about any of these issues in publications available on our website.

Employee Privacy

Like it or not, employees have some privacy rights not impacted by your warnings that they have no expectation of privacy when using your equipment. Although you can revise applicable policies for BYOD, your employee owns the device and is clearly entitled to make personal use of it. Similarly, that device essentially tracks their whereabouts 24/7 and reflects all manner of activities, such as websites visited, items purchased, books read, games played, photos taken, apps used, and calls and messages sent and received. Your organization must decide the extent to which it needs to know such information and plan accordingly.

e-Discovery and Departing Employees

Inevitably, if employees store work-related information locally, device retrieval may be necessary in legal discovery or when an employee leaves the company. For litigation, strict protocols providing for immediate preservation before employees modify or delete files are crucial. BYOD will add expense and delay to discovery and to the employee-departure process.

Building an Effective BYOD Program

The first step in building an effective BYOD program is to identify your security framework. At minimum, policies and/or terms of use should require device-level security such as strong passwords, malware protection, encryption, time-outs following inactivity, and remote wiping capabilities.  Mobile device management (MDM) provides a more advanced option; most will provide employees with a secure tether to the office to access resources remotely using an application on the device. MDM solutions improve upon device-level security by minimizing the risk of data loss and preserving data integrity and access control with containerized solutions.  For the command-and-control set, a virtual-desktop infrastructure (VDI) may hold appeal. With VDI, applications and data are stored centrally, unlike the MDM, where some data and apps live locally on the device. Maintaining secure access credentials and effective user authentication are paramount, but the device itself contains no work-related data to be lost or breached. To determine which approach is best, inventory your business units, their activities, and their use or proposed use of mobile devices.

The next major step is to provide a program framework through documentation.  A written program policy is needed to establish privacy boundaries and set security expectations. You also should review existing social media, security, and compliance policies to ensure you have not set contradictory requirements or limitations. The last piece of documentation should be terms of use that employees commit to (including remote wiping of all content) in exchange for the privilege of using BYOD.

Last, support your security and policy framework with training, reminders, and program reviews to help employees remember the requirements and to help your organization establish legal compliance.

© 2014 Poyner Spruill LLP. All rights reserved.

TRENDING LEGAL ANALYSIS


About this Author

Tara N. Cho, Poyner Spruill Law Firm, Privacy Attorney
Associate

Tara’s practice focuses on privacy and information security.  She advises on privacy issuesand identification of potential risks and the development of associated policies and procedures to maintain compliance.  She is also experienced with privacy compliance auditing, regulatory requirements in clinical research, European data protection requirements and Safe Harbor certifications, data transfer agreements and contract negotiation.

919-783-1079
Elizabeth Johnson, Privacy, Information Security Attorney, Poyner Spruill, law
Partner

Elizabeth’s practice focuses on privacy, information security, and records management. Her comprehensive, practical approach to privacy law is reflected by the diversity of her clients, which hail from a variety of industries including health care, financial services, insurance, retail, telecom, utility, technology, consumer goods and client services. Elizabeth has also worked with organizations of various size and scope, ranging from Fortune 100 companies with international reach to local charities.  She was listed among the top privacy professionals in Computerworld’s...

919.783.2971