There are several key advantages to allowing healthcare employees to bring their own device to work. It reduces hardware costs, eliminates the need for special device training, and improves overall worker satisfaction levels. But there are also disadvantages to bring-your-own-device (BYOD) policies, one of which involves security.
If a healthcare worker brings his or her device to work, and that device is later stolen or becomes lost, all of the data stored on it could find its way into the hands of a stranger. This, of course, creates a direct conflict with the Health Insurance Portability and Accountability Act (HIPAA) of 1996. which states that all healthcare workers and covered entities must use meaningful and appropriate measures to prevent unauthorized access of Protected Health Information (PHI).
According to a recent study conducted by IDC Healthcare Insights, the average clinician uses roughly 6.4 mobile devices on a typical workday. This may include smartphones, tablets, monitoring devices, smartwatches, etc., most of which are capable of storing data. Whether the healthcare practice has an open BYOD policy or not, it's still responsible for safeguarding the data stored on these devices from unauthorized access. But if the practice does have a BYOD policy, it should take additional measures to ensure any and all PHI is secure.
Thankfully, there are several steps healthcare workers can take to ensure their BYOD policies are compliant with HIPAA, one of which is to avoid storing data locally on workers' devices. So, how is a worker supposed to access data if it's not stored on his or her device? Rather than storing it locally on the hard drive, PHI can be stored on the cloud, allowing workers to access it from any device. As long as the practice has a Business Associates Agreement (BAA) in place with the respective cloud service provider, this is completely within the realms of HIPAA.
All devices used by healthcare workers should also have a remote wipe capability, allowing workers to erase their device's data and restore it back to its factory settings from a remote location. There's always the possibility that a worker may lose his or her device. With a remote wipe function, workers can prevent other individuals from accessing any data stored on the device.