Part 2 of three-part series on technology security tips for nurses.
In Part 1 of this series, “Security tips for using personal technology,” we identified general best practices for using mobile devices—wherever you are—to protect information about you, your family, and your friends. In this installment, Part 2, we focus on improving security of that personal technology—smartphones, tablets, laptops, etc.—while at your employer’s site.
There are issues to consider from both your perspective and that of your employer. In addition to policy and procedural considerations to keep in mind when using personal technology at your employer’s site, there are also legal ones to consider. Remember, as a nurse, if there is ever a question about breach of practice, you are your own first line of defense.
Few employers keep up with technology changes as fast as their workforce does. Recognition of this reality led to emergence of bring-your-own-device (BYOD) policies that allow employees to use personal devices in their work settings, instead of relying completely on company-issued equipment. Millennials in management and digital denizens who rely on personal technology for both work and play have also driven this movement. Keep in mind that millennials occupying management positions may have been raised with different concerns when it comes to privacy and security than those of us in the clinical world.
I’ve looked at BYOD from both sides now . . .
From the employee’s perspective, probably the biggest concern is BYOD practices leading to loss of privacy and possibly all of one’s personal data. As an employee, you might be alarmed to learn that your company may have inappropriate access to all data stored on your personal technology device (or to where it is stored). If your employer—by virtue of policy or technology—has the ability to “wipe” your device in the event of a cyber incident or simply because your employment is terminated, you could lose photos, videos, contacts, and other sensitive information stored on your personal device.
Employers—particularly if they are providers or payers and, consequently, a “covered entity” under HIPAA rules (referring to the United States)—are primarily concerned with security. For example, personal devices may lack lock codes or time-out features. As we mentioned in Part 1, many people don’t even use passwords on their devices. Employers are also concerned about other entities connecting to your device via unsecured hotspots, or that you may share your device, or simply lose it. All of these possibilities raise the risk of unauthorized disclosure of business data or ePHI (electronic Protected Health Information). The latter could come from a clinical app loaded on your device or from patient information someone emailed to you.
These issues may seem simple enough to address, but wait—there’s more! Using personal devices at work makes it easier to defame the company, colleagues, vendors—even competitors—or to harass co-workers and subordinates. This can happen via social media, texting, or plain old phone calls. When using their personal technology devices, employees may feel free—or be more likely—to engage in behavior that is obviously inappropriate on company equipment.
When nonexempt employees use personal devices for work, employers open themselves to exposure under the Fair Labor Standards Act as well as overtime and wage payment laws. Since nonexempt workers will always have personal technology with them, and they can’t turn off only those emails or calls that are business-related, it could mean they are laboring outside of scheduled work hours.
And then there are expense reimbursement issues. Who pays for the connectivity? The answer will vary from state to state (referring again to the United States) and role to role. Employers have to ensure that work records or other company information stored on a personal device meets their retention requirements and can be retrieved from you, the employee, in the event of litigation. And if you lose your device—or worse—it is stolen? That’s bad enough for you, but if you’ve been using a personal device for work purposes, your employer also faces security risks.
Phishy and malodorous
Company data on an employee’s—or contractor’s—device can be compromised when it goes missing. Information can also be lost when the owner of the device fails to take due diligence when connecting to Wi-Fi networks, allowing Bluetooth discoverability, or choosing and using passwords. (See sidebar in Part 1.) Malicious software, also known as malware, can also threaten a device and data security if it is downloaded. Or you could click a bad link or become the victim of a phishing scam.
Applications—“apps”—that you or I find useful may represent significant data risks not only for you, but also for your employer, if they allow third parties to access data on your device. Many apps connect to data stored in the cloud, so it may be important for your employer to know which apps or services you are using, whether for your work or for you personally.
Maintaining information security when personal technology is introduced into the workplace is not as easy as it sounds. That is why a comprehensive BYOD policy with appropriate procedures to implement that policy must be in place and enforced. Many employers require employees who use personal devices for workplace purposes to allow adding Mobile Device Management (MDM) software to the device.
MDM software allows companies certain controls over employee-owned devices that are also used for work purposes. For example, MDM software allows an employee using a personal technology device to access his or her employer’s network or cloud with added security. Employers may use this software to remotely wipe a device if it is lost or stolen, or prevent an employee’s personal app from accessing company information. It may prohibit a user from installing certain apps or require use of an auxiliary device to update apps. Finally, employers may find such software useful to establish and enforce other security protections.
Our personal and work lives often blend more than we’d like. We carry personal devices for our convenience, but they also enable us to “multitask” between our personal world and our work world. This may be manageable when all you have to worry about is yourself, but you may not be happy when your employer imposes certain controls over how you use a device that contains your personal data.
Here are some things for you, the employee, to think about with regard to a bring-your-own-device program:
- Given the reality of your employer controlling your personal technology device and imposing requirements for its use, consider carefully if you want to use that device for work. Is potential sacrifice of privacy and inability to use your own technology device as you choose worth it? The best way to keep private information private is not to use your own device, but you may give up some convenience.
- It’s not as convenient, but it’s more secure—two separate devices, one for work and one for personal use. Say what you will, but using multiple devices for dedicated purposes does draw a clean line. There are some downsides, however. Besides being inconvenient, it can be costly and sometimes confusing.
- If you do participate in an employer’s formal BYOD program, be sure you have read and understood the policy. Most importantly, know what the employer may do with and to your data and under what circumstances.
- Whether you participate in a BYOD program or not (but especially if you do), know and understand a) what information is stored on your device; b) which apps use what information; and c) your device’s privacy settings.
- Back up personal information, including photos, music, videos, contacts, and calendars. Remember, if your company can remotely wipe data from a device, it takes everything. If you are concerned about your employer accessing certain personal information, move the primary residence of that data to a more private location. As new data begins to accumulate on your company-accessible device, periodically transfer it to its designated location, and then delete it from its temporary location.
- Think about things that could happen. What if your employer is sued or there is an internal investigation? You may be required to turn over your device if it contains data related to the suit or investigation. If the employer backs up the device, what do they back up, and can you get to the data if you need it?
There is no expectation of privacy when you use your employer’s equipment. Similarly, there is reduced expectation of privacy when you participate in a BYOD program. Conversely, if your employer asks you to set up a BYOD program for your company, here are some things to think about from that perspective:
- Develop the policy before you allow employees to use their personal technology devices for work purposes.
- Development of policies related to information management should always be a team sport. Develop your BYOD policy in partnership with information technology, risk management, operations, and legal departments.
- Be fair, but recognize the risks. To make sure a policy is reasonable and works for both sides, start by considering how employees want to use their devices at work.
- One size may not fit all. Policies and procedures related to practices, controls, and access will vary, depending on an employee’s role and job duties. Good policies and procedures will be based on what is needed and will take risk into consideration.
- Make sure employees are aware of BYOD rules and how they work. They should know where to go for answers to their questions and be aware of the company’s need to balance corporate security with personal privacy. Make sure someone is available to help employees understand risks and benefits.
- As with all policies, review your organization’s BYOD policy on a regular schedule and update as needed to reflect changes in technology, corporate approach, and strategy.
In Part 1, we provided security tips for personal technology. In this installment, we talked about improving security of personal technology while working at your employer’s site. In Part 3, the final installment of the series, we’ll provide security tips for using your employer’s technology. In the meantime, as they used to say on “Hill Street Blues,” that 1980s’ police show, “Let’s be careful out there.”
One more thing: Don’t forget to remove your personal technology device from your pocket before transporting that patient into the MRI room. You wouldn’t want to accuse your employer of wiping your data when its loss was actually caused by exposure to a large magnetic field.
David S. Finn, CISA, CISM, CRISC, is health information technology officer for Symantec, a global leader in cybersecurity, and board member of CHIME, The College of Healthcare Information Management Executives. He previously served as chief information officer, vice president of information services, and privacy and security officer for Texas Children’s Hospital, one of the largest pediatric integrated delivery systems in the United States. Co-author of the recently published The Journey Never Ends: Technology’s Role in Perfecting Health Care Outcomes, Finn has more than 30 years’ experience in planning, managing, and controlling information technology and business processes.
Kenneth W. Dion, PhD, MSN/MBA, RN, founder of Decision Critical Inc., is treasurer of the board of directors of the Honor Society of Nursing, Sigma Theta Tau International. He is past president of the board of trustees of the Foundation of the National Student Nurses' Association and past chair of the board of directors of Sigma Theta Tau International Foundation for Nursing.