- BYOD is bound to result in some big fines for organizations governed by regulatory privacy mandates.
- Since it is only a matter of time before auditors catch up, IT should be proactive in putting effective policies, controls and end-user training in place.
As enterprise IT struggles to get its arms around BYOD policy creation and control over the growing number of employee-owned smartphones and tablets used to access critical applications and data, one of the big questions it has to address is how to ensure continued compliance with regulatory mandates such as PCI, HIPAA and state privacy regulations as well as Dodd-Frank and more. A new survey of 3,500 IT leaders and tech professionals conducted in June found that half the respondents think at least 25% or more of sensitive data is made vulnerable because of employee access to it using those personal devices. The TEKsystems study also found that 35% of the IT leaders it surveyed are not sure their BYOD policies are compliant with those data privacy mandates.
The problem is particularly acute in the healthcare field, not only because of strict guidelines mandated by HIPAA, but also because of the widespread adoption of personal smartphones and tablets by physicians and other healthcare workers. According to pharmaceutical and healthcare market research firm Manhattan Research, 81% of physicians now use a smartphone, up from 72% in 2010. Last year, Aruba Networks found that 85% of the 130 hospitals that it surveyed allow employees to use personally owned devices at work. To meet HIPAA compliance, health care providers must protect private data on personally owned mobile devices used at work; encrypt all enterprise e-mail, data and documents; remotely manage device policies; use dynamic policy controls to restrict access to sensitive data and apps; enforce access controls on corporate apps and services; monitor device integrity; run anti-malware on the device; centrally manage policies and configurations on devices; and provide compliance reporting on mobile devices. Last September, Massachusetts Eye and Ear Infirmary was fined $1.5 million for a patient data breach when a laptop that had unencrypted data on it was stolen. It is only a matter of time before that same scenarios plays out on an employee-owned tablet or smartphone.
However, healthcare is not alone. The Payment Card Industry Data Security Standards rules mandate a series of protective steps, including ensuring that firewalls are installed and IT configures the BYOD devices itself. Still, the PCI Security Standards Council would rather not see BYOD allowed at all; in February, it said that BYOD should not be considered a best practice because merchants have no control over the content and configuration of the employee’s device. Furthermore, SEC rules require that financial services firms that allow BYOD make sure all employees’ business communications records can be readily accessed.
Whether governed by strict HIPAA rules or other government or industry mandates that are bound to catch up with HIPAA, organizations that must meet such mandates should take proactive steps to avoid breaches which could result in not only big fines, but also costly lawsuits and loss of business through damage to the organization’s reputation. Such steps could include requiring employees to sign agreements before they are allowed access to corporate apps and data to ensure that you legally and technically have the ability to selectively wipe employee devices that are lost or stolen to delete any corporate-owned sensitive information. All the major MDM providers, such as MobileIron, AirWatch, Good Technology and others, provide selective wipe technology. Other steps could include requiring multi-factor authentication before allowing access to enterprise applications, including e-mail; providing user-friendly and regulatory-compliant alternatives to using consumer-focused storage services such as DropBox, Evernote and others (CloudPrime’s QuickDrop is HIPAA-compliant); providing regular employee training on BYOD security issues and technologies; and incorporating personally owned devices used to access data governed by regulatory requirements into your regular audits (once permission has been gained from the employee).