Skip to main content
. 2020 Jun 18;8(6):e18175. doi: 10.2196/18175

Table 3.

Summary of hospital bring-your-own-device security challenges and solutions.

People, policy, and technology dimension and challenges Solutions
Technology

Weak authentication mechanisms

  • Identity and access management/MDMa to manage user authentication centrally

  • Strong passwords

  • Two-factor authentication with single sign-on

  • Automatic log off after periods of inactivity

Malicious medical apps downloaded on BYODb devices

  • Internal/regulated app stores

  • Whitelist/blacklist apps using MDM

BYOD devices connected to unsecure networks/hotspots

  • Over-the-air network scanning

  • Remote access through virtual private network

  • Data protection in rest and motion (use of AESc/TLSd)

Vulnerable devices connected on hospital network

  • MDM to prevent vulnerable devices from connecting to hospital networks

  • Network scanning

Mixing of personal and hospital data

  • Containerization for logical separation of hospital and personal data

  • Use sandboxed apps for PHIe access

  • Use secure and encrypted clinical communication platforms

Lost device containing sensitive PHI

  • Use MDM to track/lock device remotely

  • Use MDM with containerization to selectively wipe hospital data

  • Limit storage of hospital data on device using virtual desktop infrastructure

  • Report theft incidents to hospital information technology department
Policy

Lack of strategy/direction for ideal BYOD use

  • Define hospital-wide BYOD strategy to be updated regularly

  • Dedicated BYOD policy for complete guidance on authentication, access control, chain of responsibility, data ownership, devices allowed, acceptable use, training, legislation, and noncompliance

  • Mandating signing of user agreement for BYOD users

Maintaining compliance with health care data protection laws

  • Notify relevant government departments about breaches as per law

  • Perform regular audits and legal risk assessments

  • Define applicable privacy regulations and penalties for noncompliance

  • Train BYOD users about incident reporting to notify breaches/thefts

Access privilege abuse

  • Use principle of least privileges and role-based access control in defining staff access to PHI
People

Inappropriate behavior by BYOD users

  • Penalize staff found guilty of breaches

  • Encourage safe and secure use by establishing a security culture

  • Monitor user behavior regularly

Lack of awareness among hospital BYOD users

  • Educate BYOD users periodically

  • Check awareness levels regularly, for example, through phishing campaigns

Poor user experience

  • Consult all relevant stakeholders throughout the BYOD program

  • Carefully consider clinical workflow and ease of use

Cybersecurity budget and skills shortage

  • Government investment in technology, education, and research

  • Hiring experts

  • Sponsoring and supporting employees for skills improvement

aMDM: mobile device management.

bBYOD: bring-your-own-device.

cAES: Advanced Encryption Standard.

dTLS: Transport Layer Security.

ePHI: personal health information.