Winter 2022

HIPAA Challenges: Security Tips for Personal Devices in the Workplace
By Denis O’Shea
For The Record
Vol. 34 No. 1 P. 24

In the age of the modern mobile workforce, BYOD (Bring Your Own Device) has become the norm, including in the health care industry. Employees familiar with using their own devices don’t want to carry an additional device dedicated to their work. Using their own device makes checking in with the office when they are out more convenient. However, in regulated industries such as health care, BYOD can create significant security risks.

In modern health care, it is fair to assume that physicians are stretched thin. The ongoing COVID crisis has only exacerbated the situation. Overwhelmed or preoccupied physicians and medical staff often share a common and understandable vulnerability: the potential for compromised data on their most-used devices.

One of the major security threats are physicians who communicate sensitive patient information via iMessage or WhatsApp on an unmanaged mobile device. This behavior is not intended to be malicious or haphazard. In fact, the opposite is true: It is always well meaning and patient focused.

Nevertheless, the reality is that it can have severe consequences. If the information is breached, the physician and their practice are in violation of HIPAA regulations. The good news is this risk can be easily mitigated with the right technology and cybersecurity education.

Unsecured Physician Devices Are Pervasive
There is often a fundamental break in the communication between IT leaders and medical personnel. Many hospitals and clinics have done the leg work to put secure clinical communications apps in place, but often the solutions simply aren’t being adopted, giving iMessage and WhatsApp the opportunity to prevail as the dominant communication methods.

There are two risky scenarios that often play out with physicians. However, should these scenarios be explained clearly and consistently by IT leaders, physicians would likely take note and subsequently take further action to secure patient data.

The most common scenario is the shared family device. For example, a physician may have to share an Apple ID between their personal device and a shared family iPad or iMac. Both devices sync to the same iMessage account that might be used for sending or receiving confidential medical data. As a result, conversations a physician may be having with staff about a patient are appearing not only on the physician’s phone but also on the family iPad.

Another common scenario is the use of corporate credentials on a personal device. Most physicians use a personal device for both professional and personal communication. Who can blame them? No one likes carting around multiple devices. But in many cases, these personal devices are not managed and not secured.

Consequently, the larger problem rears its head when they go to the app store and download a public app such as Teams or Outlook using their personal Apple ID. Now they have an unmanaged app on an unmanaged device that may or may not have malware, spyware, or key-logging software. Unfortunately, the next thing doctors do is sign in with their work credentials. If those credentials are compromised, the health care provider is vulnerable to a breach.

Recognizing Personal Devices in the Workplace
It’s important that IT professionals recognize the use of personal devices in the workplace. More so, it is imperative that they communicate the risks of working on personal devices clearly to physicians and other medical staff.

To set your group up for success, consider taking the following steps when developing a plan to secure clinical workers’ devices.

Create a policy that balances security and privacy.
Securing data is critical to the organization at large but when it comes to device management, the employee focus is typically centered around their own privacy. A carefully crafted policy that addresses data security and privacy as two sides of the same coin will set organizations on the right path to a secure, compliant environment. It’s a delicate balance but it’s possible to have both tight security for patient data and privacy for employees.

Implement the right technology.
Research and select the modern device management technology that best meets the organization’s needs. Ensure that the chosen tool can manage work-related apps such as Outlook and Teams without having to manage employee devices. This distinction between app management and device management is critical.

Communicate, communicate, communicate.
When implementing any type of major change, it is vital that all parties are on the same page. Transparency must be always a priority during the security and device management journey. This strategy will ease the minds of end-users uneasy with progress and set the expectation to anticipate change.

Establish a support infrastructure.
As with any rollout, end-users will need support when things don’t go as planned. For clinical workers, support needs can be especially critical and time sensitive. Patient safety demands most of their attention so when they have a need for support, they will expect clinical-grade response times and support service level agreements.

When physicians and medical staff are given secure solutions that are not cumbersome to use and don’t invade their personal privacy, they are very receptive. If physicians had more awareness of the risks involved with sharing sensitive patient information with colleagues and the option of using a secure app, it stands to reason they would choose meeting security requirements over their familiarity with iMessage or WhatsApp.

Patients have entrusted their most personal information to their providers. It’s time that IT leaders and physicians band together to ensure that trust is not broken.

— Denis O'Shea is founder of Mobile Mentor, a global leader in the endpoint ecosystem, helping clients to navigate the right balance between security and employee experience.