NR 512 Discussion Activities: Safeguarding Health Information and Systems
NR 512 Discussion Activities: Safeguarding Health Information and Systems
My workplace would never allow for us to bring our own devices into the facility! I was quite surprised to find out that this was a thing!
Upon doing some research on this topic I found out some interesting facts. I found it interesting that BYOD encompasses more than just computers. It also means that employees may use smartphones, tablets, kindles, and more for their work. The concept of BYOD includes personal software and services, as employees use iCloud services and other tools on the web (Eschelbeck & Schwartzberg, 2017).
To begin, I will discuss the security issues that would be encountered. It’s risky to assume that prohibiting the use of personal devices solves the problem. I say this because the average employee ends up using their own device anyway because it is not monitored by work place security policies. But, regardless of what you think about BYOD and however workplaces choose to implement it, IT managers should treat it the same way as any introduction of innovative technology: with a controlled and predictable deployment of security (Eschelbeck & Schwartzberg, 2017).
When it comes to devices being introduced into the workplace, a few questions should be addressed.
1) Who owns this device?
Is this a trustworthy person? In the past, the company owned the devices, whereas in this case. the employee owns the device (Eschelbeck & Schwartzberg, 2017).
2) Who manages this device?
How is security going to be managed, if the employee is in charge (Eschelbeck & Schwartzberg, 2017)?
3) Who secures this device?
Accountability is not something that goes away for an employee just because they personally own the device (Eschelbeck & Schwartzberg, 2017).
All organizations have the flexibility to embrace BYOD as much as they feel reasonable. But, there are companies who have decided the risk is too great and choose not to implement a BYOD program (Eschelbeck & Schwartzberg, 2017).
In May 2012, a facility banned its 400,000 employees from using their own devices and their own applications because of the concerns about data security. The facility also banned cloud storage services such as Dropbox, as well as Siri. Since Siri listens to spoken requests and sends these requests to Apple’s servers where they are deciphered into text they found this could be a HIPAA violation along the line. They also banned Siri because she can create text messages and emails on voice command, but some of these messages could contain sensitive and private information (Eschelbeck & Schwartzberg, 2017).
Ultimately, the success of the BYOD program is measured by the employees’ willingness to use their personal devices within the rules set for them. The organization’s security procedures and policies should determine whether and how BYOD is utilized. If adopted into a company, BYOD users need to have the ability to enforce security policies on their device and protect their property if that device is ever lost or stolen (Eschelbeck & Schwartzberg, 2017).
Click here to ORDER an A++ paper from our Verified MASTERS and DOCTORATE WRITERS NR 512 Discussion Activities: Safeguarding Health Information and Systems:
A couple other security concerns include:
-Being able to register employee devices with the company for monitoring purposes (Matteucci, 2017).
-Implementing password protection, antivirus and back-up software for all devices (Matteucci, 2017).
-Preventing the use of public WiFi networks (Matteucci, 2017).
-Downloading company information on home computers (Matteucci, 2017).
-Cleaning/resetting the devices entirely when employees quit or are terminated (Matteucci, 2017).
Eschelbeck, G., & Schwartzberg, D. (2017). BYOD Risks and Rewards: How to keep employee smartphones, laptops and tablets secure. SOPHOS, 2(10), 1-7. Matteucci, G. (2017, April 21). The Pros and Cons of Bring-Your-Own-Device (BYOD) for Your Mobile Field Workforce – Field Force Friday. Retrieved April 09, 2018, from http://www.msidata.com/pros-and-cons-of-byod-in-mobile-field-workforce
I feel the employee should be compensated to some extent for being required to use their own personal device at work. Also, if an employee is required to use their own personal device are they in jeopardy of having their personal information contained on the phone made public to the employer? Basically, by using their personal phone at work and accepting compensation for it, have they given up their right to personal privacy? I guess it all depends on the agreements made with the employer and this agreement should be carefully consider by the employee. There is no doubt that employers will save time and money by allowing employees to use their own devices but is this best for the employee?
A recent article mentions that expense reimbursement for use of personal cell phones for work activities is required depending of which state one lives in (Lannon & Schreiber, 2018). This same article goes on to discuss a law in California that requires employers to pay at least part of an employee’s wireless voice and data plan if it is required at work (Lannon & Schreiber, 2018). After further research I found the actual California Labor Code 2802 (a) that basically states that the employer is responsible for all expenditures or losses incurred by the employee in direct consequences of discharging their duties (leginfo.legislature.ca.gov). This means employers need to seriously research this topic depending in which state they reside before they end up in trouble for non-compensation. While employees need to fully understand if their personal right to privacy can be breached by their employer.
Code Section. (2016, January 1). Retrieved April 10, 2018, from https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=LAB§ionNum=2802.
Lannon, P. G., & Schreiber, P. M. (2018, March 30). BYOD Policies: What Employers Need to Know. Retrieved April 10, 2018, from https://www.shrm.org/hr-today/news/hr-magazine/pages/0216-byod-policies.aspx
In reviewing your response to bring your own device (BYOD), we had very similar concerns. I agree with your point that employees maybe putting their personal information at risk. You mentioned the level of risk being dependent upon the agreements made with employers, however, some circumstances are beyond the employers control like litigation.
In reviewing your information regarding reimbursement for using personal devices, what so employers use to get employee buy in? If I agreed to use my personal device, like a cell phone, it would only be a dedicated phone for work that the employer completely reimbursed me for including 100 percent of the bill. I still can’t figure out the real benefit. Usually corporations get significant discounts on items like cell phones and group phone plans. So why the BYOD?
We know that the bottom line is always the bottom line. Employers have obviously found benefits to BYOD, but at what cost? In an article by Hovav & Putri (2016), they found employees who BYOD are less likely to follow security policies and protocols. While this is a relatively new trend, I wonder what the long term effects on espionage, security leaks, and security breaches are on companies who support or require BYOD. Furthermore, how much of our personal privacy is relinquished when we agree to BYOD?
Reference Hovav, A., & Putri, F. F. (2016). This is my device! Why should I follow your rules? Employees’ compliance with BYOD security policy. Pervasive And Mobile Computing, 32(Mobile Security, Privacy and Forensics), 35-49. doi:10.1016/j.pmcj.2016.06.007
I think that it depends on the device. For instance, if I am using my car for work that the company should compensate my gas and mileage. But, if I am using my computer at work and it does not cost me anything out of my pocket, then that is a different story. I do not think it matters to be compensated.
But this also brings me to the question, what about data? If there isn’t Wi-Fi, I will be using my own internet and my own data to complete my work. With this being said, yes, the company should compensate me the exact amount of data I use.
The more BYOD is being utilized by companies, the higher the expectations are to include these devices into their work. But, it is an underlying issue to compensate employees for any charges that are incurred during the use of their personal devices. According to my research, many companies do pay for data charges and other charges by offering extra “bonuses” to their paychecks. But, often these inaccurately reflect the real usage charges that are incurred by the employees (Malee, Shabazz, Hammond, Willis, & Miller, 2017)
Reference: Malee, D., Shabazz, J., Hammond, R., Willis, L., & Miller, G. (2017). Methods and apparatus to interface with different service provider information technology systems supporting service ordering. USPTO,15(61), 1-35. doi:US020170064088A120170302
As Hailey points out, successful BYOD relies on staff willingness to use their personal devices. Any device required to perform duties related to work should be at the cost of the employees organization. In my opinion there are too many risk involved with with staff using personal devices they outright own. A few of my reasons include:
- Upon termination of employment, terminated employees may still have sensitive or private information in their possession. How can an employer force an employee to turn over their personnel device?
- While hackers are able to penetrate some of the most secure cyber sites, how enhanced would their capabilities be if they were to have a direct link to sensitive information via a stolen device?
- If employees may be at increased risk of litigation because they own their own devices, there is a significant chance that those employees would have legitimate cause to in turn sue employers for not providing the proper security to personnel devices to ensure they are able to protect sensitive information.
- How many staff would really be willing to use personal devices?
In an article by Magrudedr, Lewis, Burks, & Smolinski (2015), many of my same concerns were echoed, including additional concerns of personal devices may have issues interfacing with established networks and a high suspicion of employees who insist on using personal devices.
With many industries including healthcare and technology, being in fierce competition, do employers really want sensitive information on a personal device that can be manipulated or contain undetected cloning software?
Magruder, J. S., Lewis, S. X., Burks, E. J., & Smolinski, C. (2015). Bring Your Own Device (BYOD)–Who Is Running Organizations?. Journal Of Accounting & Finance (2158-3625), 15(1), 55-61.
Do I believe that the organization should be accountable to the cost if a device is required to complete the functions of their job? Yes, I really do think that the organization should be held accountable for the most part, but I am slightly torn because my perspective is looking at the situation from both ends of the organization and the staff.
My perspective on this viewpoint is that if a device is REQUIRED, and the organization is providing me with this device, then yes, the organization should be accountable. Should the organization be 100% accountable? This is where I believe that both the organization and the staff using the device should be accountable. Maybe 75% the organization and 25% staff. That percentage is based on the organization having liability.
An example would be my work place providing me with a work phone to use for work use only. I believe that I should be giving some kind of security or professional device usage class to learn all the policy and guidelines of having this device. The organization should implement rules, risks, and tolerance as well. An effective security starts with organizations classifying risks, assets, and tolerance (Millman, 2017). As a professional, I should only use this device for work-related reasons. However, if I use it for social media, checking e-mails, texting, or anything that is forbidden, I should be held accountable and my organization should also be held accountable. My organization should be held accountable because they are the ones providing me with a required device to do my job and they are responsible for ensuring that staff are professionals and are only using their device for work-related reasons.
Millman, R. (2017). Maximize Productivity and Minimize Risk with Mobile Management. Computer Weekly, 25.
With the rise of personal device usage many companies have seen the benefits to allowing employees to bring their own device to work as a form of communication and increase work productivity. BYOD has it’s many benefits to improving workflow with the right implementation of policies, procedures, and security measures. Although, the benefits to BYOD are great in enhancing access to end users who can work more hours from remote locations the question at hand is who will flip the bill for these personal devices that clearly is benefiting the organization. I believe that organizations should provide a monthly allotment to employees for using their own devices. Devices, equipment, and usage can be very expensive. Companies can get equipment and services at a more affordable cost premium so flipping the bill for personal devices and giving incentives for using personal devices still cost companies fewer expenses then ditching out equipment to all employees within the organization needing devices and services. According to a recent finding, after implementing a BYOD program, the State of Delaware saw its current wireless expenditures reduced by almost one half (Ansaldi, 2013). A company in Singapore has similar results; it reduced hardware cost and improved response times for work-related matters by allowing employees to BYOD (Ansaldi, 2013).
Ansaldi, H. (2013). Addressing the Challenges of the “Bring Your Own Device”Opportunity
I enjoyed reading your post and agree that healthcare need to eliminate all BYOD implementations. I would never knowingly use the services of a healthcare facility that used BYOD because there is to great of a chance my personal health information will be leaked at some point. Studies show that user name and password breaches on smartphones are the most common hacking issues users deal with (Samadbeik, Gorzin, Khoshkam & Roudbari, 2015). Health facilities that use BYOD must create sign-in and password criteria to help limit security breaches. Healthcare facilities should get out of the habit of following technology in the workplace trends when these measures endanger patients’ privacy rights. Ensuring privacy and the security of health information is a key component to building the trust. There is no doubt of the potential benefits to introducing technology devices in the healthcare setting, just look at the advantages related to EHRs and EMRs in the exchange of patient information. However, the disadvantages far outweigh the benefits. I know I will not get citation credit for this statement, but I have got to forward this information: In 2017, there were a reported 477 healthcare data breaches, which affected 5.6 million patient records. The largest breach reported in 2017 was due to an employee downloading the patient billing files of over 600,000 patients onto an encrypted USB and CD. The article on the 2017 Healthcare Breach Report can be found at https://www.healthcare-informatics.com/news-item/cybersecurity/2017-breach-report-477-breaches-56m-patient-records-affectedLinks to an external site.. All nurses and other medical employees cannot be trusted even though the general population wants to trust these individuals due to their professional titles. BYOD in healthcare…bad idea.
Samadbeik, M., Gorzin, Z., Khoshkam, M., & Roudbari, M. (2015). Managing the Security of Nursing Data in the Electronic Health Record. Acta Informatica Medica, 23(1), 39–43. http://doi.org/10.5455/aim.2015.23.39-43
I must first talk about my past employment in Key West where we didn’t necessarily have electronic documentation (we were still paper-charting) but we did have IPods with scanners that did send some info to the outdated computer system. The use of these IPods were very nice for medication administration, vital signs and basic patient information being that you did not have to logon or drag around a slow PC. They were however burdensome to the IT department and hospital for damages, being lost, and the need for updates. These devices were owned by the hospital and they had complete control over what was on them. They didn’t have to worry about people taking them home because they simply would not work outside of the hospital network. Allowing people to use their own devices I can imagine brings great concern but thought of only having to carry one personal device sounds very appealing.
I personally love he thought of using my own device, which is a IPhone or any IPhone even if owned by the hospital. Since I became a MAC user the use of PC’s in my opinion seems outdated and they seem to have much slower operating systems (hopefully not offending PC users and believers). I can definitely understand the concern for the safety of patient health information (PHI). Some security issues that could arise include; liability from failure of patient consent, privacy breaches, and insecure data storage (Bromwich & Bromwich, 2016). Failure to capture consent is mostly presented on the topic of patient information and pictures, it is recommended to obtain consent and store it with the image and/or information taken to prevent liability of privacy breaches (Bromwich & Bromwich, 2016). Another major concern is insecure data storage which could result in privacy breaches if the device is hacked, lost or stolen (Bromwich & Bromwich, 2016). Images can be easily shared on social media or backed-up to non-secure networks (Bromwich & Bromwich, 2016).
A recent study suggests the following guidelines for application development to maximize use of personal devices while minimizing security risks (Ayubi, et al., 2016). The app should have an authentication process with required security standards and an automatic log-off after a period of inactivity (Ayubi, et al., 2016). Many smartphones now have fingerprint login options which may be useful to help meet security standards. The use of role-based access will grant computer permissions to only areas of the system that are required in that employees’ role (Ayubi, et al., 2016). This will ensure employees aren’t seeing data from parts of the system in which they do not need to perform their jobs, basically it will limit the amount of patient information that isn’t essential to them. Using three layers of security for data transfer includes; Secure Sockets Layer (SSL) for a data transfer protocol, time restricted and authenticated transactions, and ensuring data that is transferred is securely encrypted (Ayubi, et al., 2016). Allow apps to only work on internal networks or virtual private networks (VPNs) to provide a high level of security using advanced encryption and authentication to safeguard data from unauthorized individuals (Ayubi, et al., 2016). This will provide security while the data is transmitted. Limit the data that appears on notifications so there is no PHI seen until you manually go to see it, this way even if the device in laying on a table PHI won’t be exposed to unauthorized parties (Ayubi, et al., 2016). Implement remote wipe out functions so the IT administrator or device owner can delete all PHI if the device is lost or stolen as well as implement the ability to disconnect or block a user at anytime for inappropriate use or change/loss of employment (Ayubi, et al., 2016).
While using these guidelines is recommended there is still concern for breaches of PHI, which will require on-going education and research to keep up with the ever-changing use of technology. PHI is valuable to many hackers so it will IT professionals to think like hackers in order to protect the information from actual hackers.
Ayubi, S. U., Pelletier, A., Sunthara, G., Gujral, N., Mittal, V., & Bourgeois, F. C. (2016, May 11). A Mobile App Development Guideline for Hospital Settings: Maximizing the Use of and Minimizing the Security Risks of “Bring Your Own Devices” Policies. Retrieved April 09, 2018, from https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4880739/Links to an external site.
Bromwich, M., & Bromwich, R. (2016, September 06). Privacy risks when using mobile devices in health care. Retrieved April 09, 2018, from https://www.ncbi.nlm.nih.gov/pmc/articles/PMC5008929/
Healthcare organizations process massive amounts of electronic information that is used by their employees in supporting the organization’s services. Having given privileged access to sensitive and valuable patient information in the health record, healthcare employees may cause privacy breaches which can be detrimental for all parties involved if this data were to fall into the wrong hands. This mistake would cost agencies so much time, money and effort that most of them think that it is not worth it. So, it is paramount to impose attention to the privacy of all employees as well as patients alike.
There are two key concerns that I see with the bring your own device (BYOD) phenom. The major issues, for me, are the lack of information privacy and cyber-attacks. Awareness of privacy risk and policy is a must so that breaches do not occur. Advances in technology are changing the way healthcare professionals communicate with peers and with patients. Like everyone else in our connected society, physicians, nurses, and other healthcare workers are bringing their personal smartphones and tablets to work seeking better ways to stay in touch with homes, offices, and one another (Williams, 2014). Although healthcare providers are increasingly utilizing mobile health technologies to successfully support their practices, several organizations are slow to adopt BYOD phenom. While expanding and changing technology is taking place, there remains concern to protect patients, employees and the healthcare professionals.
If the BYOD phenom was allowed, the organization would have to strongly assure me that my personal information will not be tampered with or allowed to be breached in any way. Also, the patients’ data or information that I possess is under lock and key via resilient firewall and dynamic cyber-attack security. I would be afraid to use my personal device that I utilize daily for my own personal reasons. I would consider purchasing a phone, at the company’s expense, that I use particularly for work purposes out side of my personal device. I would also talk to my superiors about the BYOD concept and what their insight is on the matter and see how they plan to protect all the information that pertinent to patient delivery of care. This is how I would address being in an organization that supports BYOD. As nurses, sending information over a secured network is important for the continuity of care of patients. There have been instances where protected health information has been sent unsecured and breaches have occurred. It is important to have well-defined policies for what is supported and accessed in organizations. There must be a strategy to protect all information with the BYOD phenom without jeopardizing patients’ integrity and privacy. Sure, BYOD would cut cost for the agency, but sending information in an unsecured way can cost them billions.
On a positive note, there would not be any training education needed if employees use their own personal devices for clinical duties. Organizations just must make sure that patients as well as hospital’s data on these devices is secure. Also, there would be faster patient treatment with greater access to information right at your fingertips. A disaster plan for BYOD should be in place in an agency. Encryption is also a very critical element. Facilities would have to step up and provide quality technological and internet services to safeguard protected health information (PHI).
Williams, J. (2014). Left to their own devices how healthcare organizations are tackling the BYOD trend. Biomedical instrumentation & technology, 48(5), 327-339.