Bring your own device or bring your own disaster?
BOSTON--Healthcare organizations should take caution when allowing employees to bring their own device (BYOD) to work, as this can create privacy and security gaps and raise a number of legal issues if not handled appropriately, said Marti Arvin, chief compliance officer at the David Geffen School of Medicine at UCLA Health System, speaking at the Medical Informatics World Conference on April 28.
Organizations do see a number of benefits when employees are allowed to bring their own mobile device. For instance, productivity increases, it gives employees more flexibility, it decreases infrastructure and device costs, it improves employee and physician morale and heightens staff availability, she said.
But privacy and security risks abound. For instance, Arvin asked the simple question of whether all employees keep their security patches up to date. Even if providers want to require employees to upload software, such as mobile device management solutions, on their personal devices to enhance security, many are wary of opening up their personal data to a third-party company.
Litigation holds on personal devices is another matter. “I’m at a public institution, and we’re subject to the Open Records Act,” Arvin said. If an employee stores UCLA data on their own device, it renders that device, which includes personal data, as subject to the act.
Other issues are that employees often share devices with family members, and data can automatically upload to the cloud using certain services. “If you are using a personal iPad for work and it starts backing up data, can you control that?"
Moreover, workplace laws come into play when there is documented evidence that an employee has worked extra hours, such as answering emails during the weekend. Under labor laws, “even if it’s not approved, you are still obligated to pay them,” Alvin said.
The issue of what happens to data when an employee leaves a healthcare organization is another problem. “We are on the wall of shame,” she said. “We had an incident when someone left their employment, and had our data on their hard drive. It was encrypted, but the password was there next to the laptop. The house got broken into" and those data were compromised, she said.
In that particular incident, 16,000 patient records were put at risk.
“On a 64-bit thumb drive, you can store a heck of a lot of data and not realize it,” Arvin added.
Knowing whether data truly have been wiped from a departing employee’s device is not easy, she said. With data on their devices, it is easier for physicians to take their patient lists, researchers to take research data and administrators to take a strategic plan.
Another hot issue is employers forwarding work email to their home email addresses. She cited a 2013 Ponemon Institute survey that revealed that more than 50 percent of employees email corporate information to personal emails. Also, one-third of respondents load corporate documents to their personal Dropbox.
Despite these challenges, Marvin offered a number of legal approaches and polices to best manage BYOD:
- Employees must have no expectation of privacy
- Require use of passwords
- Require use of screensavers
- Require use of screen locks
- Prohibit uploading to the cloud
- Require purchase of mobile device management software
- Require immediate notice of lost, stolen or misplaced phones
Arvin recommended that employees sign an agreement and acknowledgement of such practices.
Also, she suggests a litigation hold policy that allows access to devices and home computers that may have records of interest and to prohibit destruction of affected records. Also, employers should set up a “Safe App” store for employees and acceptable use limits.