Every day, an oncology nurse at a busy academic medical center responds to dozens of emails and phone calls concerning medication refills, patient diagnoses and pathologies.
If her phone line is busy, physicians send standard short message service (SMS) texts to her personal cell phone.
Her phone lacks geo-fencing or other security technology, and she receives text messages with patients' protected health information (PHI) through the hospital's visitor Wi-Fi because the hospital does not yet let nurses have access to the secured network. After work, the texts and emails continue, and the veteran cancer nurse uses the free Wi-Fi at Starbucks and her home network to respond.
She hasn't been given clear instructions on the use of email or text messaging over her cell phone, so she continues with it. All she knows is this: If she waits until morning to respond to texts and emails, she won't be able to keep up with her next day's workload, and patient care will be compromised.
A 2016 survey of healthcare executives found that just 58 percent of healthcare organizations allow employees to bring their own device, down from 73 percent in 2015 and 88 percent in 2014. The reason for the decline? Hospitals are concerned about data security, availability of IT staff to support the devices, and the diverse needs of staff members.
The problem is, even without a specific policy, it's likely that employees are using their own devices simply to keep up with their workloads. Sally Reeves, healthcare project director at Frisbie Memorial Hospital in Rochester, N.H., told SearchHealthIT in 2013: "Things happen too quickly now in hospitals, and information needs to be distributed at such a fast pace in order to coordinate the next thing that's needed. If you don't provide a communications system, they will find one, and they're going to use it, regardless."
Rather than ignore the problem, hospitals need to confront it – and its complications – head on. Here are six imperatives to crafting an effective bring your own device (BYOD) policy:
1. Start with a realistic baseline assessment. Effective BYOD policies start with a survey of employees to understand what types of personally owned devices are being used and for which work-related tasks. The survey should identify the variety of device types (smart phones, tablets, laptops) and the ways in which employees use them outside the hospital walls (in coffee shops, on public transportation or at home). You should distribute the survey to every member of the care team, from nurses to technicians, physicians to therapists.
The survey should also ask if devices are shared by multiple users (e.g., family members) and what types of security precautions users take to prevent device theft or loss.
2. Develop data governance and acceptable use policies. Just as the oncology nurse should not be able to launch her laptop at Starbucks and access PHI, all clinical workers should not be able to access all information on every device and in every place.
Acceptable use policies specify for what clinical purposes devices can be used and by whom; which devices can be used where; which apps are okay (and which are not); and how employees' devices must be configured before they can access the hospital's network.
3. Implement security provisions that level the playing field between personally owned devices and corporate-owned devices, while balancing security with employee privacy. Information security requirements have to remain consistent, regardless of who owns the phone or device. When employees use work-provided devices, they understand that everything on the phone belongs to their employer and don't expect their private information to remain private.
Not so with personal devices. Employees want to be able to privately share texts and photos (without their employers' scrutiny) while at the same time, securely sharing PHI with colleagues. The solution may lie in mobile device management software that "containerizes" work information from personal information. Users have to log into the separate work interface on their personal cell phones, which allows information technology departments to remotely manage sensitive data exposure while ignoring personal apps. It also keeps work data more secure from malware that may be downloaded in texts and on social networks.
4. Anticipate devices being lost or stolen. Because laptops and phones are frequently misplaced, hospitals must provide additional password access security, such as requiring biometric security for personal devices. The same mobile device management software that containerizes information can also remotely wipe devices when an employee loses the device, quits or is terminated.
5. Stay up to date on the latest guidance on (even) secure text messaging. While text messaging is widely used by caregivers to share information, federal and regulatory bodies are increasingly uncomfortable with it. At the end of 2016, the Joint Commission and the Centers for Medicare and Medicaid Services told healthcare organizations that the use of secure text orders was not permitted or HIPAA-compliant. Instead, providers should submit orders into the electronic health record directly, through computerized provider order entry. In addition, all healthcare organizations should have policies prohibiting the use of unsecured text messaging – that is, short message service (SMS) text messaging from a personal mobile device – for communicating PHI.
6. Educate and engage your employees. BYOD policies don't do any good if they are stuck in a drawer – or the modern day equivalent: five layers deep in an online employee benefits portal and written in 8-point font. How a hospital plans to use BYOD is part of a larger data, workflow and communications strategy, and should be communicated to employees during onboarding, in monthly meetings, and continuously through simple, specific, "do this, don't do that" instructions.
A final note: the evolution and use of personal devices is moving faster than many hospital boards and leaders may understand. The key to getting your arms around it is to accept it, measure it and manage it – not ignore it. These guidelines can help you get started.
David Devine has more than 20 years of experience developing and supporting technology strategies for healthcare organizations. He is the founder of the healthcare information and technology firm Healthcare Services Management, Inc. (HSM Consulting), which was acquired by Huron in August of 2016.
The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.