Bring Your Own Device To Work Programs: Regulatory and Legal Risks and How To Minimize Them

Poyner Spruill LLP Attorneys at Law, a North Carolina Law Firm

If you’ve ever left your mobile phone on an airplane, in a restaurant, or somewhere other than in your possession, you know it’s frightening enough to think of losing the device itself, which costs a premium, as well as your personal photos or information stored on the device. Now imagine if you lost your mobile phone, but it also had protected health information (PHI) associated with your health care work stored on it.  The lost device suddenly presents the potential for reputational damage and legal or regulatory obligations, in addition to the inconvenience and cost of replacement.

Mobile phones are lightweight, palm sized, and cordless, which makes them convenient and easily portable. These same features make mobile phones highly susceptible to theft or loss. As such, there are serious compliance risks to consider and mitigate when allowing personal mobile device use for work purposes, or a bring your own device (BYOD) program, especially in a healthcare setting. Despite the known risks, current research shows that in some industries, up to 90% of employees are using their personal devices for work purposes whether “allowed” or not.  For example, an assisted living nurse using a personal device for work purposes might send a text message to a patient’s primary care physician (PCP) to obtain guidance or to provide an update.  That communication includes PHI, raising compliance obligations, such as state laws or HIPAA security requirements. In the long term care setting, it’s also a clear violation of applicable privacy laws and the Centers for Medicare and Medicaid Services will, and has been, citing such infractions on surveys.  We suspect the Division of Health Service Regulation would do likewise under state law if this occurred in an adult care home.

There is no quick and easy remedy to completely eliminate all risks associated with the use of mobile phones, particularly employee-owned devices. However, there are steps that can be taken to minimize those risks while allowing the use of mobile technology to provide enhanced and continuous care to patients. One such step is implementing a mobile device management (MDM) solution. An MDM solution allows a secure connection for employees to access work networks and information resources remotely, using an application installed on their personal device. That solution keeps “work applications” such as the employer’s email program technically separated from “personal applications” like social media apps. In addition, an MDM solution allows the employer to force technical controls on the device, such as password requirements, encryption or the ability to remotely wipe all data from the device.

Recognizing that employers must relinquish ownership and technical control to make a BYOD program work, employers also must implement robust policies and procedural controls. For example:

  • Permissible Uses. Document the permissible uses of personal devices for work purposes, including whether employees are ever permitted to transfer PHI or other types of sensitive personal information on a personal device and the employment terms associated with such uses.

  • Device Security Controls. Document the policies that govern device controls (such as requiring employees to use passwords, up-to-date malware protection, device time-out, authentication or encryption on the device).

  • Training and Sanctions. Enforce training requirements and frequency as part of the terms of use and implement clear sanctions policies for unauthorized access or use.  Employers may also consider whether the same training and policies/procedures will apply to vendors or contractors.

  • HR Policies.  Review other important employment law considerations such as employee privacy rights, social media policies, and policies for removing applicable data from the devices of terminated or exiting employees.

There are many compliance considerations to keep in mind when deciding whether to implement a BYOD program. A comprehensive security framework, including technical controls, policies, procedures, and training, can reduce the high risks associated with the use of personal mobile devices for work purposes.

ARTICLE BY

OF

Three Lessons for Mitigating Network Security Risks in 2015: Bring Your Own Device

Risk-Management-Monitor-Com

Not too long ago, organizations fell into one of two camps when it came to personal mobile devices in the workplace – these devices were either connected to their networks or they weren’t.

But times have changed. Mobile devices have become so ubiquitous that every business has to acknowledge that employees will connect their personal devices to the corporate network, whether there’s a bring-your-own-device (BYOD) policy in place or not. So really, those two camps we mentioned earlier have evolved – the devices are a given, and now, it’s just a question of whether or not you choose to regulate them.

This decision has significant implications for network security. If you aren’t regulating the use of these devices, you could be putting the integrity of your entire network at risk. As data protection specialist Vinod Banerjee told CNBC, “You have employees doing more on a mobile device and doing it ad hoc here and there and perhaps therefore not thinking about some of the risks that are apparent.” What’s worse, this has the potential to happen on a wide scale – Gartner predicted that, by 2018, more than half of all mobile users will turn first to their phone or tablet to complete online tasks. The potential for substantial remote access vulnerabilities is high.

So what can risk practitioners within IT departments do to regain control over company-related information stored on employees’ personal devices? Here are three steps to improve network security:

1. Focus on the Increasing Number of Endpoints, Not New Types

Employees are expected to have returned from holiday time off with all sorts of new gadgets they received as gifts, from fitness trackers to smart cameras and other connected devices.

Although these personal connected devices do pose some network security risk if they’re used in the workplace, securing different network-enabled mobile endpoints is really nothing special for an IT security professional. It doesn’t matter if it’s a smartphone, a tablet or a smart toilet that connects to the network – in the end, all of these devices are computers and enterprises will treat them as such.

The real problem for IT departments involves the number of new network-enabled endpoints. With each additional endpoint comes more network traffic and, subsequently, more risk. Together, a high number of endpoints has the potential to create more severe remote access vulnerabilities within corporate networks.

To mitigate the risk that accompanies these endpoints, IT departments will rely on centralized authentication and authorization functions to ensure user access control and network policy adherence. Appropriate filtering of all the traffic, data and information that is sent into the network by users is also very important. Just as drivers create environmental waste every time they get behind the wheel, network users constantly send waste – in this case, private web and data traffic, as well as malicious software – into the network through their personal devices. Enterprises need to prepare their networks for this onslaught.

2. Raise the Base Level of Security

Another way that new endpoints could chip away at a network security infrastructure is if risk practitioners fall into a trap where they focus so much on securing new endpoints, such as phones and tablets, that they lose focus on securing devices like laptops and desktops that have been in use for much longer.

It’s not difficult to see how this could happen – information security professionals know that attackers constantly change their modus operandi as they look for security vulnerabilities, often through new, potentially unprotected devices. So, in response, IT departments pour more resources into protecting these devices. In a worst-case scenario, enterprises could find themselves lacking the resources to both pivot and mitigate new vulnerabilities, while still adequately protecting remote endpoints that have been attached to the corporate network for years.

To offset this concern, IT departments need to maintain a heightened level of security across the entire network. It’s not enough to address devices ad hoc. It’s about raising the floor of network security, to protect all devices – regardless of their shape or operating system.

3. Link IT and HR When Deprovisioning Users

Another area of concern around mobile devices involves ex-employees. Employee termination procedures now need to account for BYOD and remote access, in order to prevent former employees from accessing the corporate network after their last day on the job. This is particularly important because IT staff have minimal visibility over ex-employees who could be abusing their remote access capabilities.

As IT departments know, generally the best approach to network security is to adopt policies that are centrally managed and strictly enforced. In this case, by connecting the human resources database with the user deprovisioning process, a company ensures all access to corporate systems is denied from devices, across-the-board, as soon as the employee is marked “terminated” in the HR database. This eliminates any likelihood of remote access vulnerabilities.

Similarly, there also needs to be a process for removing all company data from an ex-employee’s personal mobile device. By implementing a mobile device management or container solution, which creates a distinct work environment on the device, you’ll have an easy-to-administer method of deleting all traces of corporate data whenever an employee leaves the company. This approach is doubly effective, as it also neatly handles situations when a device is lost or stolen.

New Risks, New Resolutions

As the network security landscape continues to shift, the BYOD and remote access policies and processes of yesterday will no longer be sufficient for IT departments to manage the personal devices of employees. The New Year brings with it new challenges, and risk practitioners need new approaches to keep their networks safe and secure.

OF