By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
Health Works CollectiveHealth Works CollectiveHealth Works Collective
  • Health
    • Mental Health
    Health
    Healthcare organizations are operating on slimmer profit margins than ever. One report in August showed that they are even lower than the beginning of the…
    Show More
    Top News
    healthy hobbies
    The Importance of Hobbies for Our Health
    September 15, 2024
    Whiplash
    Understanding Whiplash: A Guide For Healthcare Practitioners
    January 22, 2025
    research chemicals and health care
    Chemical Research Drive Medical Breakthroughs
    June 14, 2023
    Latest News
    7 Most Common Healthcare Accreditation Programs: Which Should You Use?
    August 20, 2025
    Hospital Pest Control and the Fight Against Superbugs
    August 20, 2025
    Hygiene Beyond The Clinic: Attention To Overlooked Non-Clinical Spaces
    August 13, 2025
    5 Steps to a Promising Career as a Healthcare Administrator
    August 3, 2025
  • Policy and Law
    • Global Healthcare
    • Medical Ethics
    Policy and Law
    Get the latest updates about Insurance policies and Laws in the Healthcare industry for different geographical locations.
    Show More
    Top News
    Hospitals and Providers Using NHIN (Nationwide Health Information Network)
    March 11, 2012
    Image
    Physicians With High Productivity And Satisfaction Scores Employ Strong Patient-Centered Communication Skills
    May 7, 2013
    My Solution to the Healthcare Crisis
    March 31, 2012
    Latest News
    How Social Security Disability Shapes Access to Care and Everyday Health
    August 22, 2025
    How a DUI Lawyer Can Help When Your Future Health Feels Uncertain
    August 22, 2025
    How One Fall Can Lead to a Long Road of Medical Complications
    August 22, 2025
    How IT and Marketing Teams Can Collaborate to Protect Patient Trust
    July 17, 2025
  • Medical Innovations
  • News
  • Wellness
  • Tech
Search
© 2023 HealthWorks Collective. All Rights Reserved.
Reading: Protecting Health Information in the Era of Mobile Devices: The Practicalities & Problems of BYOD
Share
Notification Show More
Font ResizerAa
Health Works CollectiveHealth Works Collective
Font ResizerAa
Search
Follow US
  • About
  • Contact
  • Privacy
© 2023 HealthWorks Collective. All Rights Reserved.
Health Works Collective > eHealth > Mobile Health > Protecting Health Information in the Era of Mobile Devices: The Practicalities & Problems of BYOD
eHealthMobile Health

Protecting Health Information in the Era of Mobile Devices: The Practicalities & Problems of BYOD

onlinetech
onlinetech
Share
12 Min Read
HIMSS Virtual Event - mHealth
SHARE

I’m attending the mHIMSS Virtual Briefing: Securing Protected Health Information held today from 12PM ET-3:15PM ET online at HIMSSVirtual.org. The event features several sessions on the best practices for mobile device use, BYOD (Bring Your Own Device) policy and practice; secure use of social media; and secure provider-patient communication.

I’m attending the mHIMSS Virtual Briefing: Securing Protected Health Information held today from 12PM ET-3:15PM ET online at HIMSSVirtual.org. The event features several sessions on the best practices for mobile device use, BYOD (Bring Your Own Device) policy and practice; secure use of social media; and secure provider-patient communication.

The virtual event focuses on the challenge of maintaining mobile security while taking advantage of new technology to more efficiently and cost-effectively track patient health, convert to EHRs, share patient information and more.

Online Tech is an official Platinum Corporate Member of HIMSS, and we’ll be exhibiting our HIPAA hosting solutions at HIMSS ‘13 in New Orleans from March 3-7. Check us out at Booth #1369!

More Read

Do Teens Really Prefer Phone Calls?
Why All Hospitals Are Also Digital Companies
Beyond the Buzz: The Ultimate List of the Best Free Social Media Management Tools for Your Healthcare Marketing
Teleradiology Providing an Increasing Number of Opportunities to Europe
SaaS Firm Crowdfunds “People-Focused” Image Sharing

The first session is:

HIMSS Virtual Event - mHealth

HIMSS Virtual Event – mHealth

Protecting Health Information in the Era of Mobile Devices: The Practicalities and Problems of BYOD
12 PM-12:30 PM ET

Adam Greene

Adam Greene

Speaker: Adam H. Greene, JD, MPH, Partner, Davis, Wright and Tremaine, LLP
Co-Chair of DWT’s Health Information Practice
Former OCR Senior Advisor on HIT and Privacy

Description: While mobile computing platforms and devices have presented potentially lower costs and higher quality of service for healthcare businesses, the challenge still remains: 40 percent of security breaches occur today in relation to mobile devices.

Learning Objectives:

  1. Overview of how health IT is being transformed by mobile device use.
  2. Assess the impact of the mobile platform on organizational privacy and security policies and procedures
  3. Identify best practices that healthcare providers can take to ensure PHI is secure with the use of mobile devices

Takeaways:
Greene presented an example, partially speculative case study:

A doctor is presenting his research on a laptop (with PHI on it) in South Korea. While traveling, someone stole the doctor’s laptop. While no SSNs or esp. sensitive PHI was on laptop, it included LoJack technology, and when it went on the Internet, it was monitored and remotely wiped.

But what happened to the laptop before it went on the Internet? The hospital filed a breach report, and the OCR opened an investigation. After a breach, the OCR required documents from the hospital, including a copy of their risk assessment. They also asked a number of questions about the hospital…

OCR Questions Include:

  • Where in the risk assessment do you address the risk of PHI going onto personal devices?
  • What policies and procedures do you have regarding PHI going onto personal devices?
  • What technical safeguards do you have to protect against PHI going onto personal devices?

After 1.5 million settlement with OCR, the hospital went into a three-year corrective action plan.

The moral of the story:
You can choose whether or not to have a BYOD policy, but you can’t choose whether to have a BYOD problem.

Lessons:

  • Ignoring BYOD doesn’t make it go away
  • The OCR expects a risk assessment to address risks of personal devices – they ask very detailed granular questions
  • The risk management plan may include policy, procedures, training, inventory, technical controls, etc.

What BYOD approach works for your organization? (Based on risks you’re seeing, what kind of resources you have available…)

  • Just prohibit the use of personal devices – set a policy of any PHI or confidential info on personal devices
  • Train staff on the policy
  • Include risk of ePHI on personal devices in the risk assessment/management plan
  • Consider technical safeguards such as data loss prevention
  • Consistently sanction violations

Benefits of Prohibiting BYOD

  • Greater IT control of end devices – lock down devices so apps can’t be added without approval.
  • Greater inventory control
  • Standardization of end-user devices – making IT support easier
  • Strong technical controls can allow greater control over PHI – data loss prevention can control where your PHI is located, keeping it all on enterprise devices
  • Avoid issues of enforcing corporate policy on personal devices – can become problematic with wiping personal devices

Problems with Prohibition on BYOD

  • Clinicians and others do not want to carry two phones
  • Staff will gravitate to most effective form of communication, even if it violates policy – prohibiting texting on devices, although it’s the best form of communication between nurses, it will happen eventually despite violating policy
  • Challenge of consistently applying sanctions
  • Large risk of breach without strong technical controls
  • Cost of providing enterprise‐owned devices – equipping everyone with a mobile device can add up

The Middle of the Road Solution

  • Policy permitting ePHI on personal devices with appropriate approval – not just anyone can put PHI on any device. There should be a structured process in place for putting PHI on a device.
  • IT ensures that device has authentication enabled, remote wipe enabled – password protected for authentication, and remote wipe based on lost or stolen devices, or even failed login attempts.
  • Train staff on appropriate access, password requirements, and what to do if device is lost, stolen, or replaced – if upgrading, IT should wipe the device first
  • Policy permitting ePHI on personal devices with appropriate approval
  • Include use of personal devices in enterprise risk assessment and risk management plan
  • Consider technical safeguards such as data loss prevention (to ensure ePHI is only going to approved devices)

Benefits of the Middle of the Road

  • Workforce need only carry one device – much happier workforce
  • Potentially lower costs by not furnishing mobile devices

Problems with the Middle of the Road

  • Addressing inventory of devices is challenging – if it’s reasonable or appropriate. Consider what type of inventory you will have, and if you try to keep track of all approved devices.
  • Dangers of other apps on device – What free software or applications are being downloaded, and can they potentially intercept data and send to third parties?
  • Risk if staff do not follow password management policy – On a soft keyboard, good password management is particularly difficult.
  • Challenge of enforcing policies (e.g., remote wipe) on personal devices – People likely will not want their personal devices wiped, even if stolen.
  • Vulnerability if device is compromised before remote wipe occurs

Virtualization and Secure Tools

  • Provide personal devices with virtual access to EHR, e‐mail, network files – only provide virtual access to applications, never put ePHI on the actual device
  • Policy permitting use of personal devices to access ePHI only through appropriate methods – if you have virtualization, ensure that people know they should use that and not webmail that could temporarily put email on devices
  • Consider whether to also add remote wiping and password requirements in case of data leakage onto devices
  • Consider providing secure applications – Secure texting: There may be circumstances when you can text limited health information between clinicians, but the government typically looks down upon it. Look into secure texting options.
  • Consider technical safeguards like data loss prevention to avoid ePHI going onto personal devices without appropriate knowledge
  • Include personal devices in risk assessment and risk management plan

Benefits of Virtualization and Secure Tools

  • Workforce need only carry one device
  • Potentially lower costs by not furnishing mobile devices
  • Keep ePHI centralized and more secure while allowing access – better grasp on where your PHI is located throughout the organization
  • Provide tools that allow efficient work (e.g., texting) – you can potentially provide secure texting with a better idea of where information is going, and ensure that info is not being left on unprotected devices

Problems with Virtualization and Secure Tools

  • Cost of virtualization and secure tools.
  • What to do when staff need to work offline – will need to figure out how to let people work from a plane, or other place where they do not have Internet access
  • Challenge of enforcing policies (e.g., remote wipe) on personal devices

Additional Information:

  • Data loss prevention – It will stop some PHI, it will mitigate risk, but it will not be perfect. With DLP, you can’t be entirely sure it will make its way out. DLP software can stop SSNs or keywords that indicate diagnostic information from being emailed or shared.
  • Does all PHI on mobile devices need to be encrypted?
  • The Security Rule makes it addressable; you must encrypt where appropriate and reasonable. You have to look at potential threats and risks in order to assess whether or not you need encryption. If you’ve got documentation showing it was reasonable not to encrypt certain information, you may have a case after a data breach. But certain information, such as SSNs, should be encrypted.

Everyone should figure out their own BYOD approach – what may work well for one organization may not work nearly as well for another organization. There are BYOD policies out there – mHIMSS.org, under /resource has a BYOD agreement that may be helpful for org to look at.

View a real case study of the use of a virtual environment to securely manage a BYOD environment without jeopardizing sensitive data, presented by Vice President and Chief Information Officer (CIO) Kirk Larson of the Children’s Hospital Central California: BYOD: From Concept to Reality


 


References:
HIMSS Virtual Events: Securing Protected Health Information

The post Protecting Health Information in the Era of Mobile Devices: The Practicalities & Problems of BYOD appeared first on Managed Data Center News.

TAGGED:BYOD
Share This Article
Facebook Copy Link Print
Share

Stay Connected

1.5kFollowersLike
4.5kFollowersFollow
2.8kFollowersPin
136kSubscribersSubscribe

Latest News

travel nurse in north carolina
Balancing Speed and Scope: Choosing the Nursing Degree That Fits Your Goals
Nursing
September 1, 2025
intimacy
How to Keep Intimacy Comfortable as You Age
Relationship and Lifestyle Senior Care
September 1, 2025
engineer fitting prosthetic arm
How Social Security Disability Shapes Access to Care and Everyday Health
Health care
August 20, 2025
a woman explaining the document
How a DUI Lawyer Can Help When Your Future Health Feels Uncertain
Public Health
August 20, 2025

You Might also Like

Why patients are the new rockstars in pharma

February 16, 2016
healthcare tweeting tips
BusinesseHealthSocial Media

Beyond the Buzz: Ten Tips for Healthcare Tweeters

July 4, 2014
google help outs for healthcare
eHealthMobile HealthRemote DiagnosticsTechnology

Google Helpouts: Live Video Competition or Marketing Opportunity?

December 14, 2013

Twin Interview with Dr. Larry Chu (Stanford Medicine X) and Denise Silber (Doctors 2.0 and You)

November 8, 2013
Subscribe
Subscribe to our newsletter to get our newest articles instantly!
Follow US
© 2008-2025 HealthWorks Collective. All Rights Reserved.
  • About
  • Contact
  • Privacy
Welcome Back!

Sign in to your account

Username or Email Address
Password

Lost your password?