Telehealth & BYOD: Is It a Bad Idea?

May 21st, 2019

Telehealth leverages telecommunication technology to provide healthcare and related services. It can include treatment, education, prevention, reminders, communication and other measures that rely on devices and technology.

Over the past few years, it has become more common for companies to allow their employees to bring their smartphones into the workplace. This practice, known as bring your own device (BYOD), has been embraced by many businesses because it can help to reduce costs, boost productivity, and increase employee satisfaction.

Despite these benefits, BYOD policies come with a number of security complications. Since healthcare organizations deal with vast quantities of highly regulated and sensitive information, the security and privacy of data is even more critical than in other sectors.

Given the risks of breaching electronic protected health information (ePHI), or going through a costly and disruptive HIPAA violation, are BYOD policies appropriate for telehealth practices?

Devices in Healthcare

Devices such as smartphones and tablets are now seen as an essential part of the medical world. They can help to improve communication and give patients new options for treatment. They are also a core aspect of telehealth practices.

Given the necessity of these devices in the healthcare industry, organizations have two ways that they can facilitate their use. They can either provide devices for their employees, which allows employers to maintain strict controls over how they are used, or they can let their employees bring their own devices and use them as part of their work processes.

Employer Provided Devices

Providing devices for employees is the ideal option from a security perspective, particularly in a health scenario where there is so much sensitive data at stake. Since employers own the devices, they can regulate where and how they are used without too many major issues.

The most important aspect is to make sure that the rules are enforced to minimize any breach-related risks.

Another major challenge is keeping the personal devices of employees outside of the workplace. Since they have become a mainstay of modern life, it can be difficult to prevent employees from bringing smartphones in to work and using them. It requires strongly enforced policy and a high level of employee awareness to manage this risk.

BYOD Devices

If personal devices are going to be allowed in the workplace or as part of a healthcare worker’s job, a strict BYOD policy needs to be in place. The threat of exposing ePHI is simply too great for healthcare organizations to neglect having one.

These policies should define when, where, how and through which applications employees may use their devices, as well as what is strictly prohibited.

If employees are allowed to use personal devices in the course of their jobs, then the BYOD policy needs to be even more stringent. Businesses have two major ways that they can do this and still safeguard ePHI to a reasonable degree.

The first is to only allow access to ePHI through VPNs or web portals, never storing any sensitive patient data on the personal devices of employees. This can secure data without being too intrusive.

Alternatively, employers can require their workers to add security software and make sure that devices are configured properly to safeguard any ePHI. This includes things like encrypted folders and remote wipe capabilities.

Since this option involves mandating how employees use their own devices and can even affect their personal files, it’s not ideal. It can lead to privacy concerns and cause employee dissatisfaction.

Should Your Organization Allow BYOD?

Ideally, healthcare organizations should keep personal devices out of the workplace to minimize the risks of leaking ePHI and facing HIPAA violations. This may not be practical for all businesses, so those that choose to allow personal devices need to be aware of the risks and adopt a strict policy that minimizes them.