Instituting a Successful BYOD Policy for Your Practice

July 22, 2015
Aine Cryts

Physicians want access to patient data on the go, but practices need to have a secure BYOD policy. Here are a few steps to protect data within the EHR.

Having a BYOD (Bring Your Own Device) policy is about more than HIPAA compliance, said Jerry Coil, executive advisor to the Los Angeles, Calif.-based L.E.K Consulting healthcare practice. “Access to patient information by hackers and malware is a serious concern. This type of information makes practices attractive to people looking to steal data.”

Limit Access to Secure Patient Data

“It’s not a balancing act,” said Coil. It makes sense that physicians want to be able to see their patients’ lab results but your biller doesn’t need to see lab results, he said. His advice? Make sure that any patient information within the EHR that’s viewable on a smartphone only uses the device as a browser. “Physicians should be able to see the patient information, but it shouldn’t be on the physical device because the device can be stolen.”

Coil advised practices to be fairly restrictive with who has access to information within the practice’s firewall. You have to put controls on that, and that means limiting who gets smartphone or tablet-based access to patient information in your EHR, he said.

He pointed out that this can be challenging when a physician owns the practice and wants to share the same security rights they have with office staff. “That’s a recipe for disaster. If the front-office staff can [access patient data within your EHR on their smartphones], a hacker can, too,” said Coil.

A Strict BYOD policy is a Must

For Coil, a strict BYOD policy means keeping patient data behind the firewall and tightly regulated. The point isn’t to make your practice impenetrable, he said. What matters is making it more difficult to access your patients’ data than that of the practice next door.

You need to have a written BYOD policy and you have to follow it, he said. That way, you can instruct people about what the policy is and enforce when necessary. “You find that with a lot of smaller practices, exceptions are made on the fly or out of the convenience at the moment,” said Coil.

The best approach for educating staff members about the policy is to acknowledge while it’s more convenient to access patient data via the practice’s EHR from home on your smartphone or tablet, the practice’s policy doesn’t allow it, he said.

Security Doesn’t Have to be Cost Prohibitive

According to Mac McMillan, CEO of Austin, Texas-based CynergisTek, organic security features that come with smartphones can be helpful. In most cases, these security features - such as requiring a password to access the device or turning on the Find My iPhone feature - are free. “It’s just a matter of turning [on these features] and configuring them,” he said.

McMillan recommended that practices set up mobile devices with requirements for stronger, more complex passwords. When employees have the Find My iPhone feature enabled, they can tell if the device is stuck in the laundry or if it’s 40 miles away and heading north, he said. If that happens, the practice can disable access to EHR data from that device.