Bring Your Own Device
A White Paper Prepared by Bob Wolverton, Ed
Bring Your Own Device
What is the state of the industry regarding the burgeoning demand from a significant number
of healthcare providers to use their own tablets or smart phones while working with patients?
The Bring Your Own Device (BYOD) trend is a topic of discussion throughout the Telehealth
industry and few solid solutions have been offered.
The Challenges
The challenges surrounding BYOD are complex and the implications are serious for
provid-ers, patients and organizations.
For providers, it is convenient to use their personally-owned tablet and make contact with a
patient or a colleague and discuss a medical situation. For patients, it is convenient to be able to
have an encounter with a provider in a quick and simple manner without having to travel to the
provider’s office.
However, the convenience that obtains with use of handheld devices must be weighed against
the overriding concern of patient privacy, as defined by the Health Insurance Portability and
Ac-countability Act (HIPPA).
HIPAA sets guidelines for protecting patient information and sets requirements necessary to
ensure patient privacy. To that end, HIPAA sets forth guidelines for protecting patient health
in-formation and requires that healthcare organizations be able to detect security breaches that can
be used to illegally acquire patients’ protected health information (PHI). In addition, HIPAA
rules require health care providers to have a means of tracing security breaches If they occur.
PHI breaches on video teleconferencing (VTC) equipment that previously had been the only
means of providing Telehealth care until recently have been fairly easy to detect and trace. The
newer hardware- or server-based communication systems are also capable of tracing breaches.
However, BYOD brings a level of uncertainty to that monitoring and protection. Challenges
in-clude:
• Provider-owned devices are not intrinsically secure. Consumer-grade tablets and smart phones
need not be (and therefore are not) HIPAA capable when they are sold to the public. The chanc-es of a breach in security, therefore, increase with each device introduced into an information technology (IT) system
• Communications apps, while often times encrypted, do not offer the ability to determine if an
encounter has been violated (hacked), nor do they offer the capability of tracing the source of the breach. Microsoft recently acknowledged that their product, Skype, had been hacked and several million accounts may have been at risk. Microsoft states that no data were compromised in the attack, yet this event demonstrates the potential threats to PHI when readily-available apps are used to provide health care
• In addition, some service providers record each conversation held on their systems and those
recordings may be at risk as well
• Additional HIPAA implications occur when one considers that the conversations conducted on handheld devices may not be held in secure locations and may be readily overheard by unau-thorized individuals. While this is not an intrinsic failure of the devices, their ease of use may be seen as facilitating these potential breaches
Selected BYOD Policies
Because the demand for tablet- and smart phone-based communication is increasing at a
tre-mendous rate, IT departments and Telehealth networks are trying several approaches to securing
devices and making sure provider compliance is enforced. Some measures reported by NRTRC
member networks include:
• A complete ban on privately owned devices. Practitioners are only allowed to use devices that
are supplied by the employer and secured in such a way that they are HIPAA compatible (see the security discussion that follows)
• Requiring providers to agree to the employer’s adding software to the device that allows for
se-cure communication with patients and colleagues and that requires pass codes and other securi-ty measures to access PHI or conduct patient encounters
• Issuing devices and requiring providers to sign a waiver stating that they will leave all the
soft-ware loaded onto the device in place and agreeing that their employment will be terminated should the provider violate this requirement
• Requiring that any access to PHI be conducted through a web portal or virtual private network
(VPN) and that PHI not be stored on the device
Security Considerations
For an organization to be compliant with HIPAA requirements, handheld devices must be
se-cured in some way. There are a number of options, some more attractive than others.
• Using a server-based communication method that is HIPAA capable is one way of ensuring that
conversations can be protected and interceptions be recognized and traced. Polycom, Cisco-Tandberg, Vidyo and many others offer encrypted and secure server-based communications op-tions
• Even with secure communications, however, devices themselves can be easily stolen, lost or
misplaced. Data stored on the devices can be easily compromised unless certain measures are taken. One option is for the IT department to supply the devices and to ‘lock them down’, clear-ing the device of any but authorized communications applications, disablclear-ing the addition of un-authorized apps to the devices and adding password protection for access. Some password pro-tection programs will ‘wipe’ the device, that is, erase everything in device memory, if a certain number of unsuccessful log-in attempts are made. While this is a fairly secure system, it is unat-tractive to providers who may want to use the devices for personal uses
• A less draconian method of securing PHI and other sensitive information is to place apps that
the device by various methods. Access to the sequestered apps requires use of passcodes or other security features. Apps can be erased (or the whole container can be ‘wiped’) if too many unsuccessful attempts to activate them are encountered.
This approach may be more attractive to providers because it will allow fuller use of the de-vice’s capability (access is provided to both personal and patient-related apps) while still pro-tecting PHI or company confidential information. Containerization can be used on provider-owned as well as facility-provider-owned devices.
Containerization may also be attractive to IT departments because they can control apps in many ways. They can offer company-developed apps for the container or control third-party apps. Devices that are lost or stolen can be wiped remotely, or located. Devices owned by indi-viduals who leave the company can be wiped remotely, protecting sensitive data from compro-mise.
