|By Free, Jason|
BYOD security strategies from two distinct healthcare organizations.
Whether your facility has a formal "bring your own device" (BYOD) policy or not, chances are good that personal devices are operating on your site. This fact is a critical consideration given that to be compliant with the Health Insurance Portability and Accountability Act (HIPAA), healthcare organizations must create policies and processes that take on managing, classifying and maintaining real-time knowledge of all network activity, regardless of whether the activity is conducted on company or personal devices. These sets of tasks can be herculean efforts even for facilities with a large IT staff and robust technology options.
Below are the profiles of two healthcare organizations currently employing BYOD in secure and efficient environments. They each represent the opposite ends of the spectrum in terms of size and types of BYOD use, however, upon close examination, they possess common points that reveal core strategies that all facilities may employ when trying to establish and maintain a secure, user-friendly outside device policy.
Located about 45 miles east-southeast of
"We started looking at BYOD about three years ago. We had a lot of people bringing in mobile devices and, actually, our CEO came in with his iPad one day and asked to be hooked up to our network. That was kind of the writing on the wall for us," says Roberts. "We knew we were going to have to have some type of policy and process in place for allowing outside devices on our systems. We needed to decide whether or not some devices would access patient health information and then how to make them secure and keep HIPAA compliance."
Many facilities have turned to virtual desktops to meet the need of BYOD and HIPAA demands. Roberts feels such a strategy is not a good fit for
"We looked at virtual desktops," says Roberts. "For small facilities like ours, however, it's kind of a tradeoff right now, as far as cost and the resource allotment that we would need. We're talking about less than 10 users that are actively using remote-type services outside of the facility, or coming in and out with devices. A lot of the strategies like virtual desktops that make sense for a bigger facility will make sense for us, at some point in the future, when the costs come down and the management of those types of services is within the grasp of our two-person IT department."
Rather than trying to leverage a cumbersome set of systems, Roberts sought the help of PFU, a
"To be honest with you," says Roberts, "I really didn't think they would fit with what we were doing, because we are not too concerned with outside devices being on our guest network. But I decided to beta test the devices to see what they could do."
One of the first moves Roberts made using the iNetSec products was to classify and label each hospital device with specific risk assessments attached. He also decided to create a very restrictive policy relative to who can bring their own device and what network those devices can access.