Coming up with an acceptable usage policy for BYOD is critical for any organization, but it is even more important in a healthcare environment.
HIPAA regulations stipulate that healthcare providers must keep patient data private, and must take appropriate measures to ensure that the patient data remains secure. This can be especially tricky in an organization that allows BYOD, because end users' personal devices tend to be notoriously insecure.
Here are some things you should be thinking about when establishing your own user device policy:
Why create a policy?
Even the most casual of healthcare environments need a formalized BYOD policy. As you design the policy, the No. 1 thing that you must keep in mind is its defensibility. The policy must be able to hold up to a HIPAA audit by convincing the auditors that the policy does nothing to compromise the privacy or security of sensitive data.
Likewise, the policy must set very clear standards for end users. It should specify exactly when and how end user device usage is allowed. If you deny a user's request to use their own personal device, you should be able to point to a reason for the denial within the formal policy. The policy should be written in such a way that would make your actions and decisions defensible in court should an end user ever challenge your decision.
One of the first issues that you will have to address within your mobile device usage policy is that of data access. The policy should very clearly state which types of data or other system resources can be accessed remotely and by whom. For example, some healthcare organizations will allow doctors to remotely access electronic health records, but deny this privilege to all other users on the basis that no one other than doctors has a legitimate need to access electronic health records from outside of the facility.
What types of devices are allowed?
Another very critical issue to consider is the types of personal devices that you will allow. Your policy should specifically list makes and models of tablets and smartphones that you will permit users to use. If you do decide to allow end users to access the organization's resources from their own personal computers, there should be policies in place dictating operating system requirements.
Obviously, each organization has its own ideas about which mobile devices are permissible and which ones are not. When deciding which types of devices to allow, you should consider the devices ability to keep sensitive data secure. For example, you might choose to disallow devices running iOS 3 and earlier on the grounds that these devices do not support hardware level encryption.
PCs require special consideration because they are so difficult to secure. Recently, some organizations have begun providing mobile users with a BitLocker-encrypted flash drive containing Windows to Go. Users are able to boot their own personal laptops from the USB flash drive to access a secure and fully sanctioned copy of Windows 8.
What is your support policy?
One aspect of the personal device usage policy that is often overlooked is the support policy. You will need to decide whether or not the help desk will be allowed to service requests related to personal devices. If you do decide to let the help desk staff assist with users' personal devices, then you will need to provide the help desk staff with training on the approved devices. Likewise, it is a good idea to set formalized limits on the types of problems that the help desk is authorized to assist with. After all, you don't want users tying up the help desk because they are having trouble installing Angry Birds.
Where is data to be stored?
One of the most critical decisions that you will have to make involves data storage. Ideally, all data should remain centrally stored on the organization's servers. If you do have a business need that requires data to be stored on end users' mobile devices, then the data will need to be encrypted and you will need to have security mechanisms in place to ensure that the data is destroyed in the event that the device is ever lost or stolen.
What is the policy for provisioning devices?
One last issue that deserves serious consideration is the device provisioning policy. Some organizations allow users to provision their own devices through a self-service portal. In a healthcare environment, however, it is generally advisable to make the help desk responsible for device provisioning. Doing so reduces the chances that a user will provision an unauthorized device.
When a user submits a device provisioning request, it is a good idea to make that user sign a copy of the acceptable use policy. This provides you with a written record that can serve as evidence that the policy has been explained to the end user and that the end user knows exactly what they are and are not allowed to access using their mobile device.
These are all fairly broad concepts and when you drill down into each one, you're going to see a lot of work. Your data access policy, for instance, not only needs to work for your hospital but must also be compliant to both privacy laws and meaningful use policies. Lists of supported devices will require constant research and revision. But given the consequences of BYOD policies failing in a hospital environment, the work is critical, so don't skip on thinking deeply over each of these concepts.