Welcome to the final installment of this blog series—creating a healthcare BYOD policy. You need one of these for a number of reasons. First and foremost, it’s a HIPAA/PHI issue. All the security tools in the world are powerless in the face of human error, and mistakes happen. If and when you have a lost/stolen device, one of the first things HHS is probably going to ask for is a copy of your office’s BYOD policy. Trust me, “What policy?” is not an acceptable answer.
As mentioned in Part 3, HIPAA fine caps (between $25,000 and $1.5 million) are based on how much HHS deems your office to be at fault and/or willfully negligent. Having a clearly set BYOD policy beforehand, signed by all employees, goes a long way in demonstrating that your office has done its due diligence. It also demonstrates what steps your office has taken to minimize potential for breaches, which can go a long way with HHS.
Everyone in the office should be required to read and sign a copy of your BYOD policy as a condition of employment. Aside from an initial explanation of the document purpose, any BYOD policy should include these sections (each of which we will cover in further detail):
- Expectation of Privacy
- Acceptable Use
- Data/App Ownership
- Devices and Support
- Employee Device Exit Strategy
- User Agreement and Acknowledgement
Expectation of Privacy
This first section should lay out what, if any, expectation of privacy employees should have when it comes to their devices. It should also explain any situation in which employees will be required to surrender devices—implementation of security tools, discovery investigations, criminal proceedings, app/software installations, etc. Lastly, this section needs to make it clear that employees do not have the right to, nor should they have the expectation of, privacy at any time they are using a device (theirs or the company’s) in your BYOD environment.
This section should explain both what is and is not considered acceptable use of devices in your BYOD environment, including but not limited to the following items:
- Acceptable business use: explanation of how and for what purposes devices are allowed to be used.
- Acceptable personal use: explanation of any non-work-related activities employees are allowed to engage in with devices.
- Prohibited activities: explanation of specific activities employees are not permitted to engage in with devices while at the office and/or connected to the network.
- Permitted access of company resources: explanation of any company-owned resources employees are authorized to access when using their devices for work purposes.
- Zero-Tolerance Distracted Driving Policy: explanation that employees should never use devices for work purposes while driving. This has become an issue in recent years, and any BYOD policy should have it. Why? Because if an employee has a car accident while using his/her device for work reasons, your company could be held liable for damages if you do not have a zero-tolerance policy (in writing) that prohibits device usage while driving.
- Banned Apps: a list of apps that are not to be installed on any devices in your BYOD environment. This may include both apps that you do not want employees using for reasons of distraction as well as those that may present privacy/security concerns. After all, many apps are known to scan and steal data from devices on which they are installed.
This section may seem a little tricky, but must be included. First and foremost, make it clear that your company owns all information and data stored on the devices, servers, and network. There also needs to be a “consequence statement,” that any unauthorized use, duplication, or access of company data is grounds for termination and potential civil or criminal proceedings.
This section also needs to explain that, since their devices may contain data belonging to the company, personal data may have to be deleted to keep company data secure. If, for example, you must remote wipe lost/stolen devices, employees could lose personal data and/or items they may have paid for—personal pictures, music, movies, games, etc. Obviously, it is nearly impossible for your company to replace such items. Also, if you intend to make full or partial memory wipes mandatory for exiting employee devices, you might also refer them to the “Employee Device Exit Strategy” section.
Devices and Support
This section outlines what and how devices are supported/authorized for use in your BYOD environment, including but not limited to the following items:
- Supported Devices: a list of all the device types that are supported/authorized for use, as well as the acceptable models for each device (iPad 2, iPhone 4, 4S, etc.).
- Connectivity Support: this lets employees know who to contact for support if they are having connectivity issues. It also explains that employees are responsible for downloading upgrades and that they must contact their device manufacturer for hardware-related issues.
- Device Provisioning and Configuration: this tells employees what must be done before their devices can access the company network and/or be used for company purposes, such as apps/software that must be installed and/or device configurations performed by IT.
This section outlines all policies and requirements related to device security in your BYOD environment, including but not limited to the following items:
- Password protection: states that all devices or network access methods must be PIN or password protected, per the company password policy.
- Password Policy: explains the company password policy, such as password creation rules (number, letter, symbol, total letter count, etc.), required frequency of password changes, and password recycling requirements (typically, an employee’s past six passwords should not be reused). Also, it would be wise to mention that password sharing is strictly prohibited.
- Device Locking Policy: specifies all rules related to device locking, and explains that employees must set devices to lock within certain parameters. For example, that all devices should be set to lock if left idle for five minutes. This is at your discretion, so feel free to make it less. However, more than five minutes is not
- Forbidden Device Actions: lists any prohibited uses or modifications of devices in your BYOD environment. For example, “jailbroken” (iOS) or “rooted” (Android) devices should not be permitted, as doing so compromises security features.
- Prohibited Devices: lists devices not authorized for use, such as unsupported or non-work devices that are strictly for personal use.
- Employee Access Limits: this explains that employee access to company data will be limited as appropriate, and will be based on an IT/Admin-defined user profile.
- Conditions for Remote Wipe: lists situations in which an employee’s device can and will be remotely wiped—lost/stolen device, termination of employment (see “Employee Device Exit Strategy” section), or security issues.
This section outlines miscellaneous BYOD-related risks that must be accepted by employees, plus legal disclaimers that release the company and IT personnel from legal liabilities. Items to cover in this section include, but are not limited to, the following:
- IT Liability Disclaimer: this basically states that employees cannot hold IT personnel liable for data losses related to data security and/or remote wipes (whether due to a lost/stolen device or employment termination).
- Company Rights to Control: states the company’s right to disconnect employee devices and/or disable work-related apps and service to the network without notice.
- Reporting Lost/Stolen Devices: this sets an exact timeframe within which a lost/stolen device must be reported to the company. Usually, 24 hours is considered an acceptable amount of time (unless the employee knows for certain it was stolen, in which case notification should be made ASAP).
- Ethical Use: this explains that employees are expected to use their devices in an “ethical manner,” meaning they agree not to use them for criminal activities or for any purpose that violates company policies.
- Employee Liability: states that employees assume all liability for costs associated with their devices. If the company intends to pay for any device costs, these need to be specified here.
- Risk Liability: lists any and all risks for which employees must accept full liability—data losses, OS crashes, errors, bugs, malware, viruses, etc.
- Company Rights to Disciplinary Action: states that the company has the right to take disciplinary actions for violations of the BYOD policy, up to and including termination of employment and civil/criminal proceedings.
Employee Device Exit Strategy
This section should detail what actions must be taken, both by the company and employees, upon termination of employment. How this is to be handled will depend on the structure of your company and BYOD environment. However, it should be made clear that employees may be required to temporarily submit their devices to company IT at the end of employment for “exit review.” It should also be made clear that not doing so will result in a full remote wipe of their devices. I know this sounds a bit harsh, but you can fix that with the right wording.
The most effective way to word this section is to simply state that “employees are expected to surrender their devices to company IT for an exit review upon termination of employment,” and that failure to do so in a timely manner (or in a specific timeframe) “will result in a full remote memory wipe of all non-OS data” from their devices. This makes it clear that exiting employees who comply will only lose data/apps related to the company, instead of all the data/apps on their devices. Wording the policy in this way makes it clear that no personal data will be lost and reduces the likelihood of exiting employees refusing to temporarily surrender their devices.
This section is usually written in first person, using “I” statements, as it will be signed by the employee. This should be a short acknowledgement that the employee has read and agreed to all rules and guidelines of the BYOD policy. At the bottom of this section should be lines for the employee to fill in—Signature, Printed Name, and the Date. You might also include a place for the supervisor’s signature, if desired.
Putting it All Together
You should now have a general understanding of the details involved in adopting BYOD policy. Of course, having some examples never hurts. Therefore, here are some sample BYOD policies to give you an idea of how the above article translates into real world documents:
Note that there is not much uniformity from one policy to another, and that all the sections covered in this blog article are not always included. It’s important to understand that your company’s BYOD policy can be as detailed or as brief as you deem necessary to meet the needs of your office or practice. However, that’s a decision only you can make.