A 2016 survey of healthcare executives found that just 58 percent of healthcare organizations allow employees to bring their own device, down from 73 percent in 2015 and 88 percent in 2014. The reason for the decline? Hospitals are concerned about data security, availability of IT staff to support the devices and the diverse needs of staff members.
The proliferation of laptops, tablets, phablets and especially smartphones has given rise to the BYOD — Bring Your Own Device — strategy. While BYOD was thought to have begun around the same time that patients started bringing their smartphones into the hospital, its relevance is driven by doctors who have their own preference for devices.
As health systems began assessing the mobile device landscape, they generally fell into two categories — those supporting BYOD and those rejecting privately-owned and managed devices. In the latter instance, health systems partnered with vendors to put an enterprise device in the hands of everyone on the campus who needs one. Such devices allow for specific functions, such as communications, data access and sharing and perhaps barcode scanning. But their reach is limited to the health system’s physical footprint, the device never leaves the facility and it can be locked and wiped clean of data at a moment’s notice.
This concept worked great with nurses and support staff but it didn’t sit well with doctors, many of whom had their own office hours, moved from building to building, collaborated with specialists in other locations and worked at home. In many cases, they’d adapted their own devices and were intent on using them at the hospital. In fact, a 2015 study published in the Journal of Hospital Librarianship estimated that 85 percent of healthcare professionals were bringing their own devices to work.
The problem is, even without a specific policy, it's likely that employees are using their own devices simply to keep up with their workloads. Sally Reeves, healthcare project director at Frisbie Memorial Hospital in Rochester, N.H., told SearchHealthIT in 2013: "Things happen too quickly now in hospitals, and information needs to be distributed at such a fast pace in order to coordinate the next thing that's needed. If you don't provide a communications system, they will find one, and they're going to use it, regardless."
This, of course, created issues with privacy and security. A doctor with his own smartphone might be discussing patient information with a colleague one moment — a clear HIPAA red flag — and checking his Facebook page or discussing dinner plans with his partner the next. In extreme cases, a doctor might even snap a quick photo of a curious rash or wound to share with a colleague or specialist, then have that photo saved in a queue alongside family photos.
Rather than ignore the problem, hospitals need to confront it – and its complications – head on. Effective BYOD policies start with a survey of employees to understand what types of personally owned devices are being used and for which work-related tasks. The survey should identify the variety of device types (smartphones, tablets, laptops) and the ways in which employees use them outside the hospital walls (in coffee shops, on public transportation or at home).
Acceptable use policies specify for what clinical purposes devices can be used and by whom; which devices can be used where; which apps are okay (and which are not); and how employees' devices must be configured before they can access the hospital's network.Information security requirements have to remain consistent, regardless of who owns the phone or device. When employees use work-provided devices, they understand that everything on the phone belongs to their employer and don't expect their private information to remain private.
Not so with personal devices. Employees want to be able to privately share texts and photos (without their employers' scrutiny) while at the same time, securely sharing PHI with colleagues. The solution may lie in mobile device management software that "containerizes" work information from personal information. Because laptops and phones are frequently misplaced, hospitals must provide additional password access security, such as requiring biometric security for personal devices. The same mobile device management software that containerizes information can also remotely wipe devices when an employee loses the device, quits or is terminated.
While text messaging is widely used by caregivers to share information, federal and regulatory bodies are increasingly uncomfortable with it. At the end of 2016, the Joint Commission and the Centers for Medicare and Medicaid Services told healthcare organizations that the use of secure text orders was not permitted or HIPAA-compliant.
BYOD policies don't do any good if they are stuck in a drawer – or the modern-day equivalent: five layers deep in an online employee benefits portal and written in 8-point font. How a hospital plans to use BYOD is part of a larger data, workflow, and communications strategy, and should be communicated to employees during onboarding, in monthly meetings, and continuously through simple, specific, "do this, don't do that" instructions.