HIPAA-Compliant BYOD After the Honeymoon

By Nat Kausik, CEO, Bitglass

We met with the head of compliance of a large state healthcare organization last week. They were struggling with achieving HIPAA compliant mobility and shared their experiences and insights with us.

To start, mobile technologies are changing so rapidly that any attempt to install software on the end-point to secure or manage the device is doomed to fail. The organization had purchased and deployed a high-end Mobile Application Management (MAM) solution two years ago. The MAM solution worked great during the honeymoon period after deployment. 100% compliance on 20% of the devices.

Then cracks began to appear. First, the deployment stalled as users beyond the first 20% refused to install the app on their BYO devices. Then, users with the app upgraded their devices and needed help porting the MAM clients at each upgrade. Then, the MAM clients stopped working with certain types of devices. Calendar invites appeared weeks after the meetings were done. Emails were getting dropped. Physicians would have none of that nonsense, and IT was forced to open up ActiveSync direct for all users. Pretty soon, 90% of users were connecting directly their native email clients on BYOD via ActiveSync. So 100% compliance on 10% of devices plus 0% compliance on 90% meant a net 10% compliance. And physicians had the most non-compliant BYO devices, dealt with most PHI.

The same story plays out at even the largest healthcare organizations. Indeed, following the above meeting we met with the newly minted Chief Data Officer at a very large healthcare organization with over a 100K employees. Same story. MobileIron MDM for all users. But after the honeymoon ended, physicians get to connect any device direct. And so did any other user who figured out that ActiveSync direct was open.

How do you maintain HIPAA compliance on any device after the honeymoon? Bitglass, of course.