BYOD (8)

As Bring Your Own Device (BYOD) solutions become more attractive in healthcare, increasing adoption needs a rigorous, constructive process. A team at Boston Children’s Hospital (BCH) has done it. In the Journal of Medical Internet Research (JMIR), the team’s described how it created a mobile app development guideline for BYOD and applied it to TaskList, an in-house app with an Apple operating system (iOS). Medical residents can use it to monitor, create, capture, and share daily collaborative tasks associated with patients. 

It was designed in four phases: 

  1. Mobile app guideline development
  2. Requirements gathering and developing TaskList to fit the guideline
  3. Deploying TaskList using BYOD with end-users
  4. Refining the guideline based on the TaskList pilot.

The result was fourteen practical recommendations in four categories:

  1. Authentication and authorisation
  2. Data management
  3. Safeguarding app environment
  4. Remote enforcement.

The fourteen recommendations by nine types of risk are: 

  1. Unauthorised access to app and decreased productivity:
    1. Adopt enterprise-standards but usable authentication
    2. Implement Role-based access control (RBAC)
  2. Unauthorised access to data:
    1. Implement at least three layers of security on data transmission, transport layer security, access control and content security
    2. Allow apps to work on internal networks or VPNb only
  3. Data transmission to unauthorised parties: protect the mobile app’s notifications
  4. Unauthorised access to apps and data
    1. Prevent apps from working on jail-broken devices
    2. Allow apps to only work on encrypted-devices or devices with pass-codes
  5. Unauthorised access to data: require apps to use minimal cache
  6. Unauthorised access to the app: enforce automatic logoff
  7. Data transmission to unauthorised parties:
    1. Limit copy data and print screen functionalities
    2. Limit backup on Cloud services
  8. App distribution to unauthorised parties: distributing the app and implement internal over-the-air installation and app updates
  9. Unauthorised access to app
    1. Implement remote wipe out functionality
    2. Implement ability to disconnect and block a user anytime.

These provide a viable model for Africa’s health systems to adopt. They’ll encourage BYOD use.

Mobiles aren’t truly ubiquitous, but they’re closing in. Many health workers use theirs for their health duties, Bring Your Own Devices (BYOD). Health organisations need policies to deal with them. Tiger Text’s provided policy guidelines for healthcare. They apply to general use of personal devices in the workplace, and include:

  • The healthcare organisation will use its discretion to decide which employees may use BYOD
  • All personal devices must be approved by the Information Security Department before they’re used
  • Exercise discretion as personal devices may interfere with productivity and distract others
  • Personal devices may only be used during breaks and meal periods
  • Ensure that friends and family members are aware of this policy
  • The healthcare organisation will not be liable for the loss, theft or damage of any personal devices
  • To ensure confidentiality of Protected Health Information (PHI), never use traditional text messaging or multimedia messaging services when sending work related data with your personal device
  • Download and use the TigerText application when sending messages containing PHI, social security numbers, or financial account information
  • Using TigerText’s subject to the healthcare organisation’s Secure Messaging Policy and employees must read and understand this policy in detail before using TigerText
  • Work related pictures, video, voice files, and other data must be sent within the TigerText application
  • Local storage of work data in personal devices is never allowed
  • Applications that interfere with the functionality of TigerText must never be downloaded on personal devices
  • The healthcare organisations policy prohibits screen capture or sharing PHI with users who are not bound by the healthcare organisation’s Privacy Policy
  • All data transmitted for work related purposes using personal devices is the healthcare organisation’s sole property
  • The healthcare organisation has an absolute right of access to all of the data sent with a personal device and may exercise its right whenever management deems it appropriate
  • Personal device users have no privacy rights when using their personal devices in the workplace and healthcare facility
  • Personal devices and messages sent by it can be reviewed whenever management deems it appropriate
  • The healthcare organisation’s general policy for using mobile and personal devices determines when and where they may be used
  • Using them near some types of equipment, or in some parts of the healthcare facility, may be prohibited
  • If personal devices are lost or stolen, owners must notify the healthcare organisation immediately so that the data stored in a TigerText account can be remotely wiped from the devices
  • Users should implement a password on all personal devices used in the workplace to ensure that third party access to content is limited
  • Personal devices in healthcare facilities and property are subject to general policies for safeguarding against cross-contamination and other patient health concerns
  • Disposal or sale of personal devices should be done only after all the healthcare organisation’s data and content is removed, including the TigerText application
  • If employment’s terminated, all the healthcare organisations’ content, including the TigerText application, must be removed from leavers’ personal devices
  • All costs associated with personal devices shall be borne by owners, except for the costs of access to TigerText
  • Employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

TigerText is a secure, real-time message app. Africa’s healthcare organisations may have other, equivalent apps, replacing Tiger Text in the policy template. Tiger Text point out that their policy template isn’t legal advice. It does provide a helpful start point for Africa’s health systems to begin the process of this part of eHealth regulation.

An increasing trend is for health workers to Bring Your Own Devices (BYOD) to work and use them to access their organisations’ information. It poses considerable security risks, but rather than ban it, BYOD can offer benefits if it’s effectively managed and regulated. Spok has published a guide, The 2015 Hospital Guide to Bring Your Own Device Policies, to help healthcare organisations protect sensitive patient information and to succeed with BYOD.

It’s based on two main research findings. One is that BYOD policies can save healthcare organisations money. The other is that it takes time to create a successful BYOD, needing good planning and implementation to maintain the integrity and security of patient information being accessed and shared by BYOD.

The guide deals with critical points to consider in the design of an effective BYOD policy for a hospital. These are:

  • Who pays for what?
  • If they use it, will you support it?
  • What is effective and acceptable use when it comes to BYOD?
  • Is it safe?
  • The multi-site dilemma.

It provides a sound basis for African countries to develop their BYOD regulations. It’s a short cut to moving ahead.

With the prospect of a progressively increasing role for Bring Your Own Devices (BYOD) in Africa and elsewhere, it’s good to know that there’s advice on how do to it. Gartner’s described challengesCisco’s an eye on it TechRepublic has a report on ten considerations for BYOD cost benefit analysis, to help make organisations quantify their position after considering competing risks and opportunities.

  1. New costs of an enterprise Model Device Management solution
  2. New costs of BYOD policy development and program management
  3. New costs to update enterprise security and help desk to deal with new responsibilities and risks created by BYOD
  4. New risk management expenses
  5. New internal app development costs, to allow BYODs to interact with business systems
  6. New, potentially hidden back-end costs, such as software licensing and increased network traffic
  7. Uncertain costs of BYOD data plans, which could be a cost or a saving, depending on how it’s financed
  8. Potential to reduce the cost of company-owned devices
  9. Potential benefits to employee morale and productivity
  10. Potential benefits of employees being more responsive to your customers – perhaps

Capgemini analysts are upbeat about BYOD, with a recent paper titled “it’s all about employee satisfaction and productivity, not costs.” Technology company Cisco believes BYOD can deliver productivity and cost savings, which is explained in their blog. African healthcare organisations want happy, productive employees and cost savings, so BYOD looks promising and worth a closer look.

Analysis firm Gartner has views on Bring Your Own Devices (BYOD), describing it as “a disruptive phenomenon where employees bring non-company IT into the organization and demand to be connected to everything.” They add that it’s often without proper accountability or oversight.

Gartner reports staggering numbers. For example, that “by 2016 over 30% of BYOD strategies will leverage personal applications, data and social connections, for enterprise purposes.” That could be less than two years away.

Gartner describes three challenges:

  1. Governance and compliance to protect organisational regulations, trust, intellectual property and other obligations
  2. Mobile device management to manage growing workforce expectations around mobility and ability to connect multiple devices
  3. Security to protect data and network availability and avoid data loss.

As African organisations prepare to make the most of eHealth opportunities, BYOD will almost certainly be a feature. Keeping an eye on Gartner’s three challenges is essential.

Health workers will bring their own devices to work. Embrace it. Fighting it seems like a losing strategy.

Beaufort Memorial Hospital in South Carolina in the USA, adopted a simple regulation regime, as reported in Healthcare IT News. The Hospital’s vice president for information services has introduced three simple arrangements to make Bring Your Own Device (BYOD) easy:

  • Make the system invisible so that security and legislation compliance does not create cumbersome workflow disruptions.
  • Go further than personal devices by providing health workers authorized access to applications from all computers from desktops throughout the hospital
  • Make it simple: workers ID badges have a radio frequency identification (RFID) chip that they use to log on to any computer in the hospital, avoiding the need to remember several passwords.

This offers a good benchmark for African countries developing their hospital information systems. Embracing change rather than fighting offers good potential with BYOD, which is unlikely to go away.

More and more people bring their own devices to work for the convenience of having personal and business related data on one device. The snag is that bring your own devices (BYOD) is a growing security risk to corporate ICT infrastructures. B2B International’s study Global Corporate IT Security Risks 2013  has shown that the number of IT security incidents involving cell phones and tablets is on the rise. It also suggests that most companies have no plans to limit the use of personal mobile devises for work-related purposes.

According to the study, only 17% of South African companies have developed mobile device security policies for their corporate environments. ICT security incidents involving mobile devices take on many different and changing forms, and are challenging to keep up with, and they will become more diverse and widespread.

B2B International’s survey found that 11% of respondents identified mobile devices as the source of at least one confidential data leak over the past year. This means that mobile devices caused more critical data leaks than the 9% from employee fraud, 5% from staff sharing data, and 2% corporate espionage.

Effective, tough ICT security policies for mobile devices are essential to reduce the business risks of mobile phones and tablets. That well-developed security policies for BYOD are the exception rather than the rule leaves corporate entities, including healthcare organizations, exposed to risk

Irish Novelist Samuel Lover (1797-1868) is attributed with the aphorism that “It is better to be safe than sorry.” It still resonates after two centuries.

It’s an expanding practice, and healthcare CIOs and regulators need to respond to it. New technologies bring new practices, leading to anxieties then guidance to help to calm the nerves of custodians.

For Bring Your Own Devices (BYOD) guidance is plentiful. Two examples are from Kony, a platform provider that empowers developers to build apps, and mas360 by Fiberink, a firm providing enterprise mobility management solutions. They both have White Papers proving guidance for BYOD.

Kony’s Mobile Application Management Meeting the BYOD challenge with next-generation application and device management sets out five principles:

  1. Management primarily at the application, not hardware or firmware layer
  2. Management based on policies, rules and roles
  3. Management as collaboration
  4. Configure once, run everywhere
  5. Visibility everywhere.

Maas360’s White Paper The Ten Commandments of BYOD has, predictably ten measures

  1. Create Thy Policy Before Procuring Technology
  2. Seek The Flocks’ Devices
  3. Enrollment Shall Be Simple
  4. Thou Shalt Configure Devices Over the Air
  5. Thy Users Demand Self-Service
  6. Hold Sacred Personal Information
  7. Part the Seas of Corporate and Personal Data
  8. Monitor Thy Flock—Herd Automatically
  9. Manage Thy Data Usage
  10. Drink from the Fountain of ROI

This type of guidance gives healthcare CIOs and regulators in Africa a quick start to the issues and practices they need to deal with BYOD and its continuing growth constructively. Downloading the White Papers needs registration.