Table 2.
Key elements of a hospital’s bring-your-own-device policy.
| Item | Description |
| Key definitions | Scope, purpose, and governance structure of the BYODa program, along with the definition of important terms used in the policy. |
| Service provision | Specifies the process of enrollment, registration, and deregistration. |
| Access control | Defines who will have access to what information and when. This is particularly important for personal health information, where the principle of least privileges must be applied. Only the required information must be supplied and only when needed, especially when it comes to patient data. |
| Data storage | Specifies what hospital data are allowed to be stored on BYOD devices and how. If backup is involved, the policy should also advocate for separate backup of personal and hospital data. |
| Incident reporting | Defines the procedure for reporting cases of breaches, including cases of theft/loss of device. Employees must report such cases to the ITb department, especially if patient data are involved, and the IT department must report it to government agencies in case of major breaches. |
| Legislation and noncompliance | Defines applicable privacy or health care laws as well as actions or penalties in case of noncompliance with the policy or in case of breaches caused by employee’s personal devices. |
| Education strategy | Strategies to train employees periodically to ensure secure user behavior. BYOD users should be constantly updated about latest cybersecurity threats. Policies should be disseminated through all means possible. Changes in policies should also be communicated. |
| Acceptable use | States the purposes for which BYOD devices could be used, whether clinical or nonclinical, and by whom. It defines reasonable use and prohibited activities. |
aBYOD: bring-your-own-device.
bIT: information technology.