BYOD and Your Medical Practice

February 28, 2014
Marisa Torrieri

How to ensure patient data and health information is protected when your physicians use their own devices at your medical practice.

Whether at home, on the road, or in the exam room with a patient, family medicine physician Saroj Misra is almost always armed with two or three devices: his Apple iPhone, iPad, and Macbook Pro laptop.

As a result, the lines between personal and professional sometimes intermingle. A personal text can come from the same unit in which Misra retrieves and updates patient data.

Ordinarily, such frequent use of personal devices to swap patient information with colleagues and access patient records would raise HIPAA red flags.

But a few years ago Misra's employer, St. John Providence Health System in Detroit, which oversees five hospitals and more than 125 medical facilities in southeast Michigan, put into place a "bring your own device" or "BYOD" policy to lessen the likelihood that protected health information (PHI) would ever leak out.

As part of the policy, physicians are required to "attest" in writing that they understand HIPAA and will use their devices in a way to protect their practice - which means implementing a security password and username on the interface - and install a remote-tracking app that allows doctors to erase data should a device get lost or stolen.

"If you don't do these things, you're not allowed to access the EHR system," says Misra.

Today, more physicians like Misra bring their own smartphones, tablets, and other personal devices to work. According to our 2013 Technology Survey, Sponsored by ZirMed, 35 percent of physician respondents said they are using tablets for work purposes. And 51 percent are using smartphones for work purposes. A growing number of organizations are expecting doctors will use their mobile devices to do their jobs, but not all are totally comfortable with this.

"About one-third of [healthcare] organizations embrace clinicians bringing their own devices, about a third are still holding back on that, and there's a middle third that are still actively figuring out how to address it," says Kenneth Kleinberg, managing director of research and insights for The Advisory Board Company.

But while many healthcare organizations embrace doctors using their own gear, not having BYOD policies can be risky and lead to data breach (and HHS financial penalties). Here's how to better manage BYOD at your medical practice.

The rise and risks of BYOD

Today, more physicians than ever use EHRs to document patient data - 76 percent of physicians according to our survey - and most all major EHR vendors now have versions of their flagship products compatible with smartphones and tablets (50 percent of physicians said their EHRs are mobile accessible, according to our survey). Couple the rise of health IT with the growing sophistication of mobile technology, and it's easy to see how most clinicians are tethered to their smartphones and tablets - and why they can't work without them.

"There are advantages to bringing your own device for the organization," says Lee Kim, director of privacy and security for the Health Information Management and Systems Society. "The plus side is the corporation does not have to spend the money to buy the device because it's employee owned. The other advantage is that … your smartphone is with you 24/7 so the employee might be more accessible or responsive. They'll be on that device a lot more than an employer-provided device."

However, data suggest that security is still taking a backseat to convenience.

A March 2013 study of 1,000 full-time American workers on BYOD from Cisco IT channel firms, which resell and service Cisco products in the United States, reveals 89 percent of healthcare workers use their personal smartphones for work purposes. However, 41 percent of healthcare employees' personal mobile devices are not password protected, and 53 percent of healthcare employees access unsecured Wi-Fi networks with their smartphones.

"The biggest issue in healthcare is protecting personal health information," says Kleinberg. "And if there's a breach, then you're in deep trouble. It's very, very serious."

Not only do mobile devices expose practices to a greater likelihood of a security breach, but the consequences of data breach are steeper than ever.

In 2013, HHS' Office for Civil Rights (OCR) released the final HIPAA Omnibus Rule, which modified the HIPAA Privacy and Security Rules, as well as the breach notification rule, to comply with the HITECH Act. The rule enhances a patient's privacy protections, provides individuals new rights to their health information, and strengthens the government's ability to enforce the law. The modification to the breach notification rule requires healthcare entities to essentially prove, through a four-part risk assessment, that there is a low probability that PHI has been compromised. If they can prove that, then they do not need to disclose the breach. Healthcare entities found guilty of data breaches face fines of up to $1.5 million by the government plus notification costs and reputational damage, as they need to notify not only their patients, but also the media if the breach affects more than 500 individuals.

Managing BYOD

For physicians who want to tote their tablets to work, this means there better be some great policies in place to help ensure PHI isn't exposed - as mobile devices are increasingly popular among thieves.

"First, you have to have a written BYOD policy in place that addresses people, processes, and technology," says Kim."Make sure the policy states what the workforce member and the employer can do with the BYOD device, including securing the device and its acceptable use.  Define the processes in terms of BYOD management, including what happens both during normal use and if the device is lost, stolen, or misplaced. Set forth what technology can be used for BYOD, including secure operating systems, networks, and applications. And, finally, address what may happen in case there is a violation of the policy."

Second, she adds, practices need to train their workforce on the BYOD policy.

"Do not assume what your workforce members may or may not do, such as taking for granted that they will do the right thing or that they understand [the policies]," says Kim. "Teach them best practices on how to safely and securely use the device."

Third, make sure that your entire organization is on board with BYOD.

"Communicate relevant information across departments, including IT, HR, and management," says Kim. "BYOD needs to be managed for the entire duration that the device and the workforce members are associated with the organization. Any information pertinent to people, processes, or technology, and BYOD must be communicated throughout the organization."

In a 2012 industry research report on how healthcare organizations can adapt to the "mobility movement," Barry Runyon, an analyst with IT research firm Gartner, recommended practice managers and physicians in charge of policies, as well as their IT staff or consultants they work with, ask themselves the following questions in order to shape their BYOD initiatives, and figure out what rules should apply to physicians who BYOD:

• Can users of personal devices access mission-critical business and clinical applications?

• What liabilities, if any, does the healthcare organization face if clinicians choose to use personal healthcare applications for reference, dosing, or other calculations?

• Is it feasible to protect PHI by restricting applications to those apps that don't hold persistent data on the device?

• Which users have the greatest need for a BYOD approach?

• Do users need offline access to the data?

Practices may even want to consider using mobile device management (MDM) technology, which allows organizations to configure, monitor, secure and control mobile devices remotely. There are a growing number of vendors who offer this technology to healthcare organizations, says Kleinberg.

"It can utilize the capabilities of the devices and the operating systems," says Kleinberg. "For example, MDM could be used to ensure that before a device connects to the corporate network, it has a secure password, a time-out maximum set, the proper encryption settings, the proper wireless network settings, a virus scan capability, the right [operating system] updates, and so on. While the device is being used, MDM can monitor the amount of network usage, or the status of the battery … It can be used to detect if the operating system has been compromised."

To see some of the latest media tablets targeting physicians with BYOD features, see http://bit.ly/byod_docdevices.

Safer texting

In addition to setting requirements for BYOD, Misra's healthcare organization also has rules and guidelines for using mobile devices for text messaging, an increasingly common means of communication among physicians.

"[Text messaging] security relies on a third party that is not directly involved in the care of the patient - usually your telecommunications company," says Misra. "For example, I might be texting another physician from my smartphone to their smartphone … about a patient in 651A, giving their name … and while that message is 'secure' there's still the possibility that somebody at AT&T could potentially access it."

While there are a growing number of text "solutions" that allow physicians to communicate securely, Misra's health organization prefers using a secure text-messaging system allowing physicians to send confidential information in an encrypted state within a healthcare's internal network.

Misra admits using the app is a little bit of a pain that requires unlocking his phone and logging into the app with a second password, defeating the premise of text messaging as a quick, convenient means of communication.

However, the risk of text messages linked to data breaches is one your practice may not want to take.

"More and more physicians are starting to see their device become their office and they have to protect it and lock it up," says Misra. "It's the digital equivalent of putting a padlock on their office door each night."

Providing devices: A BYOD alternative

Still on the fence about whether physicians at your practice should be allowed to use their personal devices for work purposes? If so, you might want to consider an alternative: one where your practice provides devices for its physicians.

This is the approach favored by Community Care, a multispecialty medical group with locations around the Albany, N.Y., area, which employs 240 physicians.

The organization provides up to four devices per physician, including a Lenovo convertible tablet, iPads, and iPhones.

"They are not allowed to BYOD to the party," says Barbara Morris, Community Care's chief medical officer. "In order for them to be connected to our secure network and our servers, they have to acquire their device through the company."

While doing this isn't cheap - Morris estimates it costs about $500 per physician, plus monthly data charges - she says it's more cost effective than having the IT department manage multiple personal devices with different operating systems, or the practice having to pay HIPAA fines for data breaches.

"Patient data has to be totally, totally protected and secure from not just a good clinical quality practice perspective, but because of HIPAA," says Morris. "In order for physicians to use [their devices] to access patient information, they also have to access it through our network."

By providing devices to physicians, Community Care can also more easily remotely track and wipe devices that are lost. The practice also has a policy in place that states that no one is allowed to communicate through a non-Community Care practice channel with patients or each other. Therefore, texting about patients is currently prohibited.

While some physicians have complained about not being able to use their own devices, most physicians are pretty satisfied with the policy, says Morris.

"More importantly than headaches, we've avoided loss or compromise of patient data," says Morris. "We've avoided having to technically support a variety of different devices of the provider's choosing. Those are the big things."

In Summary

Today, more physicians are using their own mobile devices for work purposes. To protect your practice from possible data loss, millions in fines, and other damage, consider:

• Creating BYOD policies, covering how physicians are using their mobile devices;

• BYOD policies that address people, processes, and technology;

• Training physicians on security and your practice's BYOD policy;

• Implementing a secure way for physicians to text message patients and each other; and

• The alternative of providing corporate devices to doctors.

Marisa Torrieriis an associate editor at Physicians Practice. She can be reached at marisa.torrieri@ubm.com.

This article originally appeared in the March 2014 issue of Physicians Practice.