Bring Your Own Device (BYOD) Guidance
August 30, 2016
Bring Your Own Device, or BYOD, is when employers allow their employees to use their own electronic devices (phones, computers, tablets, etc.) on the organization’s network.
BYOD has progressed from infrequent implementation to the norm. In 2015, Tech Pro Research released a study which reported that about 74% of respondents were already using or planning to use BYOD in their organization.¹
Despite its growth, not many organizations are completely confident in BYOD. In 2016, NueMD conducted a HIPAA survey. In this survey, they asked participants how confident they are that the devices they use in their business are HIPAA compliant, and found that only 20% of respondents were at all confident.²
BYOD can open organizations up to serious security issues if not handled correctly. Since employees are using their own devices, they will take these devices home (and everywhere else); thus, there is more of a chance for these devices to be lost or stolen. Electronics were a lot more secure when it was the norm to leave them in the office. It was up to the company to protect those devices. Now with BYOD, employees will have to use extra caution in order to keep their devices safe.
BYOD also opens up organizations to malware. With an employee using the device for personal use as well, it is easier for a phishing email to reach the employee if the proper security software is not loaded. In addition, malware may be part of a download when unapproved applications are added by the employee. That malware would then affect everything on the device, including work related information. This puts the PHI on your network at risk.
Obviously, there must be some positives to BYOD, or it would not be as popular as it is. The main advantage is that it cuts costs for the organization. If employees can bring their own devices, organizations can save money because they do not have pay to provide devices for employees. BYOD also results in better productivity because employees are using a device they already understand. No time is wasted on training employees how to use the device.
The implementation of BYOD has grown every year. Eventually you will need to consider BYOD and establish guidelines for implementing it on your network that respect the privacy of the user’s device. Access should only be requested for security reasons outlined in your policy. If you do choose to implement BYOD, it’s important to clearly define this decision in your policies and procedures.
First, you should have policies and procedures in place outlining the use of devices on your network. The policies and procedures should include:
- What apps are employees allowed to run?
- What websites should and shouldn’t be accessed?
- Can they be used for personal use during work?
- Will you allow laptops, phones, and tablets?
- What type of devices will you allow (Apple, Android, Windows, Blackberry, PC, etc)?
- How are you encrypting devices?
- Is the device configuration set up by the organization’s IT department?
- Is connectivity supported by IT?
- How often will you require a password change?
- Do you have a remote wipe policy?
Second, decide whether or not to implement Mobile Device Management (MDM). MDM creates a single unified console through which IT can administer different mobile devices and operating systems. MDM allows an organization’s IT department to do things like remotely wipe devices, encrypt devices, secure VPN, and locate devices.
MDM allows you to selectively wipe the information lost on stolen devices. Some devices such as iPhones have a built-in application (i.e. Find My iPhone). Android phones can be tracked and wiped using Android Device Manager. Both applications are great for individuals, but not necessarily the best option for an enterprise situation where you will need to track more than one device. Wiping a device is a heavy handed approach that may make employees hesitant to use their device on your network, as all of their personal information could be wiped along with work related data. With BYOD in place, employees know what’s expected of them when they use their personal devices at work, including the possibility that the company will use MDM to remotely wipe information as needed.
Alternatives to consider are Mobile Application Management (MAM) and Agentless BYOD. MAM is software that controls access to mobile apps on BYOD devices. A report by Bitglass found that only 14% of participants have adopted MAM. Accordingly, MAM never really took off, and MDM has now stagnated due to privacy concerns.³ Their solution is Bitglass Agentless BYOD, which protects corporate data on any device without an application. It also has an automated deployment process that does not require IT intervention. Agentless BYOD is meant to be more secure and less strict on the employee because of its selective wiping capabilities.⁴
Finally, a BYOD policy agreement should confirm that the BYOD user understands and agrees to the policies and procedures. The user should also understand that the organization owns the work-related information on their device. Therefore, the organization has the right to take away access to the company network at any time. The BYOD agreement should be signed by the user, a department manager, and IT. For more information and guidance on creating a BYOD Policy, contact Total HIPAA at firstname.lastname@example.org.