12 Steps to Manage BYOD Risks to Lab Data

The practice of allowing employees to use their own personal mobile devices to carry out work-related activities remotely, commonly referred to as Bring Your Own Device (BYOD), can expand telework flexibilities and reduce digital equipment costs. However, it may also expose patient and other sensitive lab data to heightened vulnerability. Here are 12 things lab professionals can do to manage BYOD privacy and data security risks, based on general best practices and standards like National Institute of Standards and Technology (NIST) Special Publication 1800-22.^1,2

1. Assess the privacy risks

While you’ll have to tailor your BYOD strategy to the mobile devices involved and the unique aspects of your laboratory information system, the starting point is to perform a privacy impact assessment (PIA) and threat and risk assessment (TRA) to identify and determine what to do about the risks associated with the collection, use, disclosure, storage, and retention of personal information. Consider both the technology and procedures involved.

2. Create a BYOD policy

Create and implement a written BYOD policy. (Click here for a template policy that you can adapt.)³ While BYOD policies aren’t one-size-fits-all, here are some key elements, based on the NIST and other resources mentioned above, that lab leaders may wish to address in their policies:

• • user responsibilities,

• • how personal information in the lab’s control may be subject to corporate monitoring on a BYOD device,

• • approved devices that lab employees may use to connect to lab systems,

• • acceptable and unacceptable uses of BYOD devices,

• • sharing of BYOD devices with family and friends, and

• access requests.

3. Conduct pilot testing

Test your BYOD program before you roll it out. The point of testing is to challenge the validity of lab professionals’ underlying assumptions about cybersecurity threats and how to contain them. Doing so will allow the lab to identify potential threats and weaknesses in the program that can then be corrected before they lead to actual privacy and security breaches.

4. Provide training

Labs need to ensure employees are properly trained on the risks associated with device administration, storage and retention, encryption, app management and configuration, authentication and authorization, malware, software vulnerability, and other technical issues. Training should also explain how the BYOD program addresses each of these issues.

5. Consider containerization of BYOD devices

Employees generally use their personal devices for both work and non-work purposes. Thus, one common approach to managing BYOD risks is to compartmentalize each device into two separate containers—one container for personal information and the other for lab and business information. Executed effectively, containerization may also eliminate the need for labs to remotely wipe data from employees’ personal devices.

6. Implement storage and retention policies

There should be written policies and procedures governing the storage and retention of personal information in the lab’s custody or control. Labs should also ensure that employees access, store, and retain only the essential lab data they need to perform work functions with their personal device.

7. Implement encryption policies

Hackers and other malicious actors can readily access and eavesdrop on communications carried out over unencrypted wireless networks such as public Wi-Fi access points. That makes it essential for your lab BYOD program to provide for encryption, including encryption of devices, containers, and communication channels between devices or mobile apps and the organizational network and electronic health record (EHR).

8. Protect against software vulnerabilities

Assign somebody within the organization to carry out patch management and updating of BYOD devices to help ensure protection against software vulnerabilities.

9. Manage apps and app configuration

Create a list of approved apps that employees are allowed to install on their BYOD devices, as well as a procedure to manage how apps are installed, updated, and removed.

10. Establish authentication and authorization procedures

Authentication involves verifying an individual’s identity before granting access; authorization limits the authenticated user’s access to certain information once they get access. There must be authentication procedures for devices, containers, and users.

11. Provide for malware protection

Take measures to ensure that BYOD devices don’t transmit malware, such as worms and Trojan horses, to lab information systems (and vice-versa).

12. Implement an incident response procedure

Labs should also have a documented incident management process that provides for detecting, containment, reporting, investigation, and correction of privacy and security breaches resulting from BYOD uses.

Takeaway

BYOD is a great way to leverage the omnipresence of personal mobile devices to achieve operating efficiencies and cost savings. However, allowing employees to connect their smartphones, tablets, personal computers, and other devices to your lab information systems and networks puts you at heightened risk of data leaks, cyberattacks, and other privacy and security threats. It’s therefore essential to not only implement appropriate BYOD protocols, policies, and programs, but also constantly monitor them for compliance and effectiveness.

References:

1. 1. https://www.g2intelligence.com/expert-qa-trends-in-cybersecurity-and-how-labs-can-protect-themselves/

1. 1. https://www.nccoe.nist.gov/sites/default/files/2022-11/mdse-nist-sp1800-22-draft-2.pdf

1. 1. https://www.g2intelligence.com/compliance-tool-model-bring-your-own-device-byod-policy/