With the use of mobile devices in the market place and common concerns around securing data and meeting compliance requirements, many IT executives are continuously reviewing the state of their mobile device management strategy as well as the current market threats. But for many who are in the initial stages of implementing a BYOD policy there are several considerations they can take as to what to focus on when ensuring the security of their data with mobile device access.
There are two use cases to consider with mobile devices and how to properly secure them. The first case is when hospital users bring their own devices and use them to access protected health information as well as internal data. The second case is corporate devices provided and managed by the organization.
For personal devices, IT departments must engage the users and apply some of the following steps to help ensure that when data is access remotely, there are adequate safeguards to ensure it protection.
For employees personal devices:
- Implement applications, which would reside on mobile devices to set up a secure connection to the health system’s data and limit content access (disable copying text and other functions such as screen capture).
- Provide users with self-management tools that will allow users to perform remote erase and locate their devices when lost.
- Educate and encourage users to properly secure their devices with pass-codes, passwords and encryption when available.
- Control the number of devices enrolled under a single user
- Ensure that mHealth Apps if installed directly on the devices that their data is encrypted or that no data is stored locally on the device such as patient information.
For corporate devices:
- Use an MDM that provides adequate controls to lock down the devices
- Use an MDM tools to remote wipe devices when lost or compromised
- Use AV and Malware protection for the devices to ensure they are not infected
- Implement security policies for strong passwords
- Ensure that mHealth Apps if installed directly on the devices that their data is encrypted or that no data is stored locally on the device such as patient information.
It is critical to enable users to not be extremely limited in use of the mobile devices, so to ensure compliance with HIPAA and other regulatory compliance requirements, there must be a clear separation of personal data on the devices as well as the corporate data. There are several MDM platforms that have enabled hospitals to simplify the management and security of mobile devices and ensure that a BYOD is implemented successfully.