What about hospital BYOD?

October 7, 2012

WOW!

I was just leafing-through the Ottawa Citizen of Saturday, October 6, 2012, and I came across an article on rising BYOD at the Children’s Hospital of Eastern Ontario (CHEO).[1]

WHAT?

BYOD, literally means “bring your own device”, and refers to the growing practice of employers allowing employees to bring their own mobile devices into the workplace (smart phones, tablets, laptops), in order that they may access proprietary and work-related information on those platforms with which they are already quite comfortable.

WHY?

Some of the advantages of BYOD identified in that article, include: (i) cashflow savings (not having to buy and replace devices for employees on an employer’s own tab, whether with operating funds or debt); (ii) currency (allowing employees to transport and deploy what is likely the most cutting-edge technology); (iii) speed and efficiency (permitting staffers to quickly access “more timely and accurate information” almost anywhere, as hosted on proprietary servers or those of cloud service providers/vendors);[2] and (iv) good environmental stewardship (cutting down on the use of paper, and copying costs, through the increasing use of EHR, or electronic health records).[3]

WHOA!

Doubtless, CHEO is already very-well advised on these and related matters.  However, in the race for similar BYOD gains by others,[4] let us try not to forget the clear potential for pains and strains; on which I have blogged at some length.[5]  There are 4 (“four”) main keys to creating and implementing a BYOD/Cybersecurity Policy to guard against these, and employers hoping to exploit the gains of BYOD are well advised to have legal counsel – preferably counsel who are also familiar with the laws outside Canada, due to the global nature of the internet and Cybercrime – assist them in devising an appropriate framework within which BYOD can thrive, responsibly.  These keys follow, in brief.

Systemic Security:

Stringent efforts must be made to secure access to the information accessible on or through these many mobile devices.  The employer’s I.T. staff also needs (or specialized contractors also need) to remain busy and vigilant in ensuring that no malicious code is present on these devices, or is input into the system by means of these devices.  This, of course, will require copious amounts of training and retraining on counter social engineering techniques, safe browsing outside the workplace, and other device security measures.  Although an added inconvenience for the user, internal rules may mandate that browsers not remember passwords, requiring a re-typing for each access or use.  In addition and at the very least, BYOD mobile devices must, themselves, be protected with passwords and where applicable, programmed to alert the owner as to their location or remotely “self-wipe” and restore themselves to factory defaults, if stolen or misplaced.

Active Management:

Spot checks, and random audits must be used to ensure and maintain compliance with any mobile security policy designed for the “anywhere, any device, anytimeBYOD-enabled workspace; or as more accurately put, the “BYOD-uw” (ubiquitous workplace).

Internal Controls:

Information access controls must also be strictly enforced, so that employees have access to only that information of which they have a business-specific need to know.  BYOD should not be a free license for fishing expeditions, or an invitation to forget medical ethics and use identifiable patient records in social media posts (medical blogs, “would you believe’s”, and juicy tidbits of malice post breakup/rejection); not to mention  the truly inadvertent disclosures or keying slip-ups.  Data may also be protected against cut/paste or dragging, download, and covered by strict write and edit permissions.  This level of openness for use and potential abuse also makes the initial background checks and vulnerable sector screens, that much more important.  Behavioural interviewing techniques and other means of heightened pre-employment due diligence have already become the norm, due to the increasing use (and abuse) of social media, and a generally heightened, global security awareness in both the public and private sectors.

Legal and Regulatory Compliance:

Compliance must always be at the forefront, as there will be a host of regulatory regimes that are business or industry-specific (protecting Intellectual property Rights /IPR in the technology sector), risk-specific (countering leaks and espionage in the government sector), and privacy-centred (PHIPPA[6] in the Ontario healthcare sector).[7]  Privacy insurance is becoming increasingly popular, advisable, and even mandatory in certain cases, and several jurisdictions now have stringent notice and remediation laws in the case of a privacy breach.

WHITHER?

Forward, yes – but with caution, commonsense, and advice from legal and I.T. professionals.

Happy Thanksgiving!

***********************************************************************

Author:

Ekundayo George is a sociologist and a lawyer, with over a decade of legal experience including business law and counseling (business formation, outsourcing, commercial leasing, healthcare and privacy, Cybersecurity); diverse litigation, as well as ADR; and regulatory practice (planning and zoning, environmental controls, landlord and tenant).  He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S.A.).  See, for example: http://www.ogalaws.com

An avid writer, blogger, and reader, Mr. George is a published author in Environmental Law and Policy (National Security aspects).

Mr. George is also an experienced strategic and management consultant; sourcing, managing, and delivering on large, high stakes, strategic projects with multiple stakeholders, large budgets, and multidisciplinary teams.  See, for example: http://www.simprime-ca.com

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”), in whole or in part for their content, or their accuracy, or their availability.

This article does not constitute legal advice or create any lawyer-client relationship.


[1] Vito Pilieci.  CHEO prescribes BYOD: Just What the Doctor Ordered.  Ottawa Citizen.  Section F, Business & Technology, at F1, F2 (print version of Saturday, October 6, 2012).  Also available online: > http://www.ottawacitizen.com/business/CHEO+prescribes+BYOD/7353691/story.html<

[2] The use of cloud services should also be strongly considered and managed, as the storage of the personal information of Canadians on servers based within the United States, or its inadvertent passage through those servers, may lead to warrantless disclosures of said information to the arms and entities of a foreign nation without the consent or knowledge of the information subject, and in certain cases, the knowledge of a legally responsible information custodian.  See e.g. Ekundayo George.  To Cloud or Not to Cloud: What are Some of the Current, Most Pertinent Pros and Cons?  Published on http://www.Ogalaws.wordpress.com, on December 28, 2011.

Online: >https://ogalaws.wordpress.com/2011/12/28/to-cloud-or-not-to-cloud-what-are-some-of-the-current-most-pertinent-pros-and-cons/<

[3]Supra note 1.

[4]Id. The article also cites Citrix Systems, a CHEO vendor, as saying “more than 34 per cent of Canadian companies already have policies in place to allow employees to bring in personal devices.  Another 27 per cent of Canadian firms plan to roll out some form of BYOD initiative over the next 12 months”.

[5]See e.g. Ekundayo George.  Cybersecurity (the Nitty-Gritty; and what is Cyberspace?): A Different, Flexible Approach.  Published on http://www.Ogalaws.wordpress.com, December 9, 2011.

Online: >https://ogalaws.wordpress.com/2011/12/09/cybersecurity-the-nitty-gritty-a-different-flexible-approach/<

[6] PHIPPA (Personal Health Information Protection Act, S.O. 2004, CHAPTER 3.  Online: >http://www.e-laws.gov.on.ca/html/statutes/english/elaws_statutes_04p03_e.htm

[7]  Also consider the potential applicability, whether in Ontario alone, of MFIPPA and PIPEDA, or elsewhere in Canada and at the federal level, as well as outside Canada with regard to the latter, PIPEDA.  See MFIPPA (Municipal Freedom of Information and Protection of Privacy Act, R.S.O. 1990, CHAPTER M.56).  Online: > http://www.e-laws.gov.on.ca/html/statutes/english/elaws_statutes_90m56_e.htmSee also PIPEDA (Personal Information and Protection of Electronic Documents Act, S.C. 2000, c.5).  Online: >http://laws-lois.justice.gc.ca/eng/acts/P-8.6/index.html<

Advertisements

One Response to “What about hospital BYOD?”


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: