10 ways to meet BYOD security requirements
In our last post we discussed how mobile devices offer challenges for hospital security. We took IT groups and healthcare practitioners into account when developing ten suggestions to help healthcare organizations design an effective BYOD policy to help meet HIPAA and PHI security requirements.
- Examine and update security policies. Review your current security policies for web applications (CRM, email, portals), VPN and remote access. Many of these apply to mobile devices as well
- Determine devices you want to support. Not every device will meet the security requirements of your organization and you don’t want to have to test all possible platforms. Also, physically inspect devices to make sure they haven’t been jailbroken or rooted.
- Set expectations clearly. Instituting proper security protocols may mean IT has to change physician mindsets. Security adds additional layers for an organization to work with, but this is a small inconvenience when compared to the potential chaos caused by a security breach.
- Create a Personal Identification Number. Make a personal identification number (or other client authentication) mandatory. This is the first line of defense against a lost device.
- Enforce data encryption at rest. Any applications downloading and storing data on a BYOD device should protect that data. If a PIN or passcode is cracked, you want to make sure that data is still protected.
- Decide on application availability. With many applications available, which do you permit? Are there specific applications or a class of applications you want to keep off the device? This can be difficult to achieve, but malware and rogue applications can cause serious damage without users realizing it.
- Provide training to physicians and hospital staff. Make sure they understand how to use their applications, make the most of their mobile capabilities and watch for suspicious activity.
- Search for applications with auditability, reporting and centralized management. As mobile devices become information conduits it’s important to have these. Applications with such features are easier to trace back to any potential data breaches.
- Consider mobile device management software (MDM). MDM software can provide secure client applications like email and web browsers, over the air device application distribution, configuration, monitoring and remote wipe capability.
No single solution will solve all your BYOD issues, but a combination of policies, education, best practices and third-party solutions can help mitigate security concerns. By defining goals and setting up guidelines and policies, you can lay the foundation and flexibility you need to meet HIPAA and PHI security requirements.