12 Steps to Manage BYOD Risks to Lab Data
How lab leaders can manage the data security risks of staff using personal devices for work-related purposes.
The practice of allowing employees to use their own personal mobile devices to carry out work-related activities remotely, commonly referred to as Bring Your Own Device (BYOD), can expand telework flexibilities and reduce digital equipment costs. However, it may also expose patient and other sensitive lab data to heightened vulnerability. Here are 12 things lab professionals can do to manage BYOD privacy and data security risks, based on general best practices and standards like National Institute of Standards and Technology (NIST) Special Publication 1800-22.1,2
1. Assess the privacy risks
While you’ll have to tailor your BYOD strategy to the mobile devices involved and the unique aspects of your laboratory information system, the starting point is to perform a privacy impact assessment (PIA) and threat and risk assessment (TRA) to identify and determine what to do about the risks associated with the collection, use, disclosure, storage, and retention of personal information. Consider both the technology and procedures involved.
2. Create a BYOD policy
Create and implement a written BYOD policy. (Click here for a template policy that you can adapt.)3 While BYOD policies aren’t one-size-fits-all, here are some key elements, based on the NIST and other resources mentioned above, that lab leaders may wish to address in their policies:
- user responsibilities,
- how personal information in the lab’s control may be subject to corporate monitoring on a BYOD device,
- approved devices that lab employees may use to connect to lab systems,
- acceptable and unacceptable uses of BYOD devices,
- sharing of BYOD devices with family and friends, and
- access requests.
3. Conduct pilot testing
Test your BYOD program before you roll it out. The point of testing is to challenge the validity of lab professionals’ underlying assumptions about cybersecurity threats and how to contain them. Doing so will allow the lab to identify potential threats and weaknesses in the program that can then be corrected before they lead to actual privacy and security breaches.
4. Provide training
Labs need to ensure employees are properly trained on the risks associated with device administration, storage and retention, encryption, app management and configuration, authentication and authorization, malware, software vulnerability, and other technical issues. Training should also explain how the BYOD program addresses each of these issues.
5. Consider containerization of BYOD devices
Employees generally use their personal devices for both work and non-work purposes. Thus, one common approach to managing BYOD risks is to compartmentalize each device into two separate containers—one container for personal information and the other for lab and business information. Executed effectively, containerization may also eliminate the need for labs to remotely wipe data from employees’ personal devices.
6. Implement storage and retention policies
There should be written policies and procedures governing the storage and retention of personal information in the lab’s custody or control. Labs should also ensure that employees access, store, and retain only the essential lab data they need to perform work functions with their personal device.
7. Implement encryption policies
Hackers and other malicious actors can readily access and eavesdrop on communications carried out over unencrypted wireless networks such as public Wi-Fi access points. That makes it essential for your lab BYOD program to provide for encryption, including encryption of devices, containers, and communication channels between devices or mobile apps and the organizational network and electronic health record (EHR).
8. Protect against software vulnerabilities
Assign somebody within the organization to carry out patch management and updating of BYOD devices to help ensure protection against software vulnerabilities.
9. Manage apps and app configuration
Create a list of approved apps that employees are allowed to install on their BYOD devices, as well as a procedure to manage how apps are installed, updated, and removed.
10. Establish authentication and authorization procedures
Authentication involves verifying an individual’s identity before granting access; authorization limits the authenticated user’s access to certain information once they get access. There must be authentication procedures for devices, containers, and users.
11. Provide for malware protection
Take measures to ensure that BYOD devices don’t transmit malware, such as worms and Trojan horses, to lab information systems (and vice-versa).
12. Implement an incident response procedure
Labs should also have a documented incident management process that provides for detecting, containment, reporting, investigation, and correction of privacy and security breaches resulting from BYOD uses.
BYOD is a great way to leverage the omnipresence of personal mobile devices to achieve operating efficiencies and cost savings. However, allowing employees to connect their smartphones, tablets, personal computers, and other devices to your lab information systems and networks puts you at heightened risk of data leaks, cyberattacks, and other privacy and security threats. It’s therefore essential to not only implement appropriate BYOD protocols, policies, and programs, but also constantly monitor them for compliance and effectiveness.
Subscribe to view Essential
Start a Free Trial for immediate access to this article