BYOD, or Bring Your Own Device, is a popular plan where organizations allow their employees to use their personal devices in a business capacity. For example, using a personal smartphone to make both personal and business phone calls, or to receive and respond to personal and business emails.
BYOD is an attractive plan for multiple reasons. Allowing individuals to use their own phone in the workplace saves a considerable amount of money associated with researching a suitable device, testing it on the network, and purchasing one for every employee. BYOD plans also save money in training: employees are already familiar with the use of their own devices. Additionally, a wide variety of devices from different vendors mean employees have multiple devices with differing functionality and features to choose from. BYOD plans allow for employees to use a device that works the best for them.
Unique Challenges, Robust Solutions
BYOD plans, however, have some serious issues to consider, especially in a healthcare environment.
In a recent report, the Privacy Commissioner of Canada assessed the unique considerations and risks of a BYOD plan.
Since an employee owns the device in a BYOD plan, the employee retains complete administrative rights and full access to the device and its data. This means that, depending on the settings and configuration set by the employee, if a device is lost or stolen, anyone who retrieves or steals the device might have full and un-restricted access to anything stored on the device.
Furthermore, the potential inability to fully secure an employee’s personal device prevents an organization from managing authorization and authentication, and removes an organization’s ability to track and log the access of sensitive data on the device.
While the issues identified by the Privacy Commissioner of Canada are significant, the recent developments in secure communication applications ensure that a BYOD plan can work within the healthcare industry.
And there is no other solution more perfectly designed to address the unique risks of a BYOD plan than dr2dr.
Demonstrating Accountability and Supporting Effective Authentication and Authorization Practices
The Privacy Commissioner of Canada identified that “if an employee has full administrative rights…to the device, an organization may not be able to appropriately demonstrate accountability for the information under its control.”
With dr2dr, full administrative access on an employee’s device does not mean full administrative access on dr2dr. Security permissions for dr2dr are set from within the program and are completely separate from the security settings of the employee’s device.
Additionally, an dr2dr user must sign in to the program to access any secure data or conversations. This access uses a two factor authentication, ensuring that the person accessing dr2dr is the right person.
“Containerization”
Containerization, as described by the Privacy Commissioner of Canada, is the separation of private and corporate data on an employee’s personal device, ensuring that sensitive corporate data is “logically separated from the employee’s personal [data]”
Using dr2dr as your secure healthcare communications platform ensures that you never have to worry about the possibility of storing confidential data or conversations in the same place as an employee’s personal data; dr2dr will never store a single byte of data on any device.
This access-only design also ensures that if employees misplace their device, or have it stolen, no confidential or sensitive data will be accessed.
New Legal Consequences
In a recent CMAJ article regarding BYOD plans within the healthcare industry, it was noted how “health care providers and institutions risk civil liability if patient data stored on mobile devices are not handled securely” (Bromwich, M and Bromwich, R. (2016, September 6) Privacy risks when using mobile devices in health care. CMAJ, 188, 855-856, doi:10.1503/cmaj.160026).
In a recent case (Jones v. Tsige), the Court of Appeal for Ontario set a new precedent with the creation “intrusion upon seclusion,” a new civil law regarding the unauthorized access to private information. This new civil law is a significant development with regards to privacy legislation, especially for healthcare, as it extends civil liability to “organizations that were already subject to privacy legislation, such as PIPEDA or provincial health privacy legislation” (http://www.mcmillan.ca/seclusion-intrusion-a-common-law-tort-for-invasion-of-privacy).
Although this new law was set in Ontario, there is potential for other provinces to look to this precedent and set their own, similar laws. In fact, this new civil liability has already been applied to medical records in a case before the Supreme Court of Newfoundland (Hynes v. Western Regional Integrated Health Authority).
With this new law and the precedent set by the Court of Appeal for Ontario, healthcare providers in Alberta, and elsewhere in Canada, now risk civil liability for medical privacy breaches.
A BYOD plan is indeed an attractive arrangement, and one that multiple organizations already employ. However, there can be serious issues to a BYOD approach, especially in a healthcare setting, where the data accessed on an employee’s personal device could be confidential patient data.
dr2dr was specifically designed with these risks in mind. By integrating dr2dr as the preferred secure communications platform, you can ensure that the security risks of a BYOD program won’t impact your practice, or leave you liable for privacy breaches.
To find out more about how dr2dr can help keep you secure, contact info@dr2dr.ca
To sign up for an dr2dr account, free until October 2017, visit: www.dr2dr.ca