How to improve healthcare BYOD and HIPAA compliance

BYOD HIPAA compliance

Ensuring HIPAA compliance in the age of healthcare BYOD

Healthcare organizations are experiencing a significant rise in Bring Your Own Device (BYOD). In fact, Becker Hospital Review research says that 85% of healthcare workers bring their own devices to work. Yet along with this rise in BYOD comes an increased vulnerability to being hacked. Mobile phones and tablets are the weakest link when it comes to HIPAA compliance and are prone to attacks.

Lost or stolen devices add to this vulnerability. In fact, 1.4 million Americans lost and never recovered their smartphones in 2013, and 3.1 million had their mobile devices stolen. Tens of thousands of healthcare workers lose their devices each year – causing 68% of all health care data breaches. As these devices often have a mixture of personal and work related records, the problem of stolen data becomes magnified.

So how can hospitals – large and small – as well as clinics ensure effective and secure communications in the age of BYOD? Read on.

Is eliminating BYOD the answer?

With the rise of smartphones and tablets in the workplace, hackers are continuing to attack enterprises through vulnerabilities in mobile devices. As I wrote in an article earlier this month on Becker Hospital Review, some consider this a basis for eliminating BYOD from healthcare entirely. The thinking is that if healthcare employers didn’t allow BYOD, they could better control the data security and encryption that their employees use.

But eliminating BYOD is futile. The real mistake is in trying to prevent further BYOD implementation. Indeed, BYOD is a cost cutting measure embraced by many organizations. BYOD also benefits healthcare because it acknowledges the fact that people are going to bring their own devices and seek to use them in their work, as well as their personal life. Furthermore, healthcare providers can’t really afford to give a smartphone to everyone who would benefit from the device.

The actual culprit is poor mobile device hygiene. Often the mobile devices being used lack encryption or suffer from poor password management. In addition, employees have a tendency to leave their mobile devices in vulnerable locations such as the backseat of a car or on a desk or in a coffee shop. In these instances, the devices are often the object of theft. At this point, the issue is no longer BYOD.

Why security is failing

IT and security professionals now acknowledge mobile devices are a widespread vector for attack. In fact, 67 percent said their organization has likely suffered a data breach through mobile. Additionally, cyber attackers are now responsible for 31.42 percent of all major HIPAA data breaches reported in 2016, which is a 300 percent increase in the last three years. Phishing attacks, spoofed Wi-Fi attacks, malicious applications, are some of the ways in which data is compromised. The fundamental cause is that many mobile devices lack proper hygiene, and organizations often lack institutional planning for handling lost devices. While most iPhones are encrypted, only 10% of Android phones are. Additionally, IT centers typically have neither a plan nor a method for securing their physicians’ and staffs’ mobile devices. In order to stop security from failing further, healthcare organizations need to have a method for ensuring both the security of mobile devices and the content they contain.

Five ways to help ensure BYOD HIPAA compliance

Hospitals can prevent significant financial loss and legal and reputational risk by ensuring that mobile communications follow HIPAA guidelines. HIPAA has many specific guidelines regarding security procedures and policies, training and behaviors. But as it relates to messaging of PHI to your mobile device, HIPAA dictates are quite clear. Hospitals need to provide reasonable protection and encryption of patient information. While encryption is not insurmountable, it provides a much higher level of data security.

Here are the other steps you want to make sure you follow to ensure HIPAA compliance:

  1. Implement passcode on all mobile devices. Make sure you implement the 4 or 6 digit passcode on your device. A lost or stolen device that has been locked with a PIN or passcode is much less likely to be breached
  2. Enable remote wipe. Make sure that all messages containing patient information can be wiped from your mobile device.
  3. File Sharing. Make sure any files or images you share are through a private HIPAA compliant cloud.
  4. Encrypted messaging. Make sure all messaging to and from the device is encrypted.
  5. Data centers. Make sure your data centers’ servers are HIPAA compliant and provide end-to-end encryption

Developing and maintaining this level of compliance is not simple. That’s why there’s OnPage. Our expertise is in ensuring secure HIPAA compliant communication for healthcare institutions and their employees. OnPage ensures messages are SSL encrypted and can only be viewed by message participants. Furthermore, OnPage content has remote wipe capabilities that meet HIPAA compliance standards.


Healthcare organizations can achieve secure and reliable communication in healthcare. They don’t have to struggle through maintaining HIPAA compliance of their communications on their own.

Learn more about HIPAA compliant messaging so you can ensure your staff’s mobile communications are secure.