The usage of innovative devices at the workplace has brought with it different security concerns that organizations have to address.
The term ‘Bring Your Own Device’ (BYOD), was initiated in the year 2009 by a top IT company and it pertains to the policy of allowing employees to bring privately owned devices such as smartphones, tablets and laptops into their workplace for use and access to company applications and information.
Increasing numbers of organizations are now using BYOD in a bid to establish themselves as employers who are flexible, tech-savvy and who care about the convenience of their employees. Many believe that permitting employees to bring their own devices will boost their morale and enhance their levels of productivity and efficiency.
A policy such as BYOD always has potential risks attached with it. One of the major issues organizations face with BYOD policy is the vulnerability of its computer system networks to data breaches and malicious attacks from third-party organizations when insecure devices connect to the company network.
There is a considerable amount of risk to any company when an employee leaves. Further on, if a customer service employee who uses his personal phone, leaves the company and joins a competitor, it provides a serious threat to the business because the customers calling that employee might decide to engage the services of the competitor instead. This is because the employee might be leaving with confidential company information and applications. Since the device is owned by the employee, the company does not have any vested right or authority on the information contained within. Other issues include damage liability when an employee’s device is damaged at the workplace – will the company then be liable to pay for its replacement or repair?
To overcome such issues, organizations will have to get a lot of policies introduced and implemented – fast!
Regulatory bodies such as CMS and DHHS are busy drafting stringent requirements for the use of Electronic Medical Records (EMRs) and interoperable medical devices with primary concerns of protecting valuable company information and patient health information.
Since healthcare providers are permitted to use their own devices within their clinics and hospitals, the IT department at such facilities should introduce and implement stringent operational network controls. Through these controls, IT should be able to monitor and control devices owned my employees in the same way it handles company owned devices.
It should be guaranteed that any device connecting with the organization’s network does not damage company or patient information or be allowed to download patient health information or confidential company data. Furthermore, healthcare providers should educate their staff regarding the importance of data confidentiality, and consequences or punishments in case of loss or theft of data.
Overall, organizations using BYOD policies should make sure that company data is securely encrypted, both on wired and wireless devices. Strict authentication and password policies should be adopted at every connection point and effective policies regarding mobility of data across the healthcare facility should be implemented. Healthcare organizations should also have firm tried-and-tested breach response or contingency plans making sure that in case of an unprecedented data breach or network malicious attack aiming to steal confidential patient information from the Electronic Medical Records, the organization has a back-up option to fall back on.