Recent workplace surveys report that as many as 87% of employees use personal electronic devices for work, raising compliance, data loss, and security risks for their employers. As a result, designing a workable “bring-your-own-device” (BYOD) program is probably overdue.
The immediate reaction of a health care organization is to ban the practice rather than risk compliance problems. BYOD is a tricky issue, without question, but it’s important to consider the realities of the situation rather than getting tied up in an unrealistic policy: 48% of companies claim they would never authorize employees to use personal devices for work, but 57% acknowledge that employees do it anyway. The wave of mobile devices has already flooded your offices. It’s time to figure out what to do about it.
Even if you permit BYOD only in limited circumstances, it’s still important to lay the ground rules that will help maximize compliance and minimize risk. We can cover only a few key considerations in this article, but here are some of the major issues.
Information Security and Compliance
HIPAA compliance will be the first concern of any health care organization implementing BYOD, and rightly so. HIPAA is heavy on policy and security requirements, so unless PHI will not be accessed or stored using personal devices, then at least part of that compliance program will need to be revisited. The risk of a reportable security breach also may increase, although that risk is likely already present based on the substantial percentages of employees admitting that they use their own device for work regardless of employer restrictions. Enterprise-managed BYOD may improve the odds by providing malware protection, better access controls, remote wiping, and transmission security.
Social Media
If you enable BYOD, social media use may go up, but temper your zeal to prohibit or monitor that use. In recent years, employers have been repeatedly dinged by the National Labor Relations Board for overly broad social media policies, were found liable for accessing employees’ social media communication in unauthorized ways, and scaled back reviews of social network sites due to Fair Credit Reporting Act liability. Employers should revisit their social media policies to make sure they are not already running afoul of this rapidly evolving list of pitfalls. You can read more about any of these issues in publications available on our website.
Employee Privacy
Like it or not, employees have some privacy rights not impacted by your warnings that they have no expectation of privacy when using your equipment. Although you can revise applicable policies for BYOD, your employee owns the device and is clearly entitled to make personal use of it. Similarly, that device essentially tracks their whereabouts 24/7 and reflects all manner of activities, such as websites visited, items purchased, books read, games played, photos taken, apps used, and calls and messages sent and received. Your organization must decide the extent to which it needs to know such information and plan accordingly.
e-Discovery and Departing Employees
Inevitably, if employees store work-related information locally, device retrieval may be necessary in legal discovery or when an employee leaves the company. For litigation, strict protocols providing for immediate preservation before employees modify or delete files are crucial. BYOD will add expense and delay to discovery and to the employee-departure process.
Building an Effective BYOD Program
The first step in building an effective BYOD program is to identify your security framework. At minimum, policies and/or terms of use should require device-level security such as strong passwords, malware protection, encryption, time-outs following inactivity, and remote wiping capabilities. Mobile device management (MDM) provides a more advanced option; most will provide employees with a secure tether to the office to access resources remotely using an application on the device. MDM solutions improve upon device-level security by minimizing the risk of data loss and preserving data integrity and access control with containerized solutions. For the command-and-control set, a virtual-desktop infrastructure (VDI) may hold appeal. With VDI, applications and data are stored centrally, unlike the MDM, where some data and apps live locally on the device. Maintaining secure access credentials and effective user authentication are paramount, but the device itself contains no work-related data to be lost or breached. To determine which approach is best, inventory your business units, their activities, and their use or proposed use of mobile devices.
The next major step is to provide a program framework through documentation. A written program policy is needed to establish privacy boundaries and set security expectations. You also should review existing social media, security, and compliance policies to ensure you have not set contradictory requirements or limitations. The last piece of documentation should be terms of use that employees commit to (including remote wiping of all content) in exchange for the privilege of using BYOD.
Last, support your security and policy framework with training, reminders, and program reviews to help employees remember the requirements and to help your organization establish legal compliance.