Hospital Bring-Your-Own-Device Security Challenges and Solutions: Systematic Review of Gray Literature

Background As familiarity with and convenience of using personal devices in hospitals help improve the productivity, efficiency, and workflow of hospital staff, the health care bring-your-own-device (BYOD) market is growing consistently. However, security concerns owing to the lack of control over the personal mobile devices of staff, which may contain sensitive data such as personal health information of patients, make it one of the biggest health care information technology (IT) challenges for hospital administrations. Objective Given that the hospital BYOD security has not been adequately addressed in peer-reviewed literature, the aim of this paper was to identify key security challenges associated with hospital BYOD usage as well as relevant solutions that can cater to the identified issues by reviewing gray literature. Therefore, this research will provide additional practical insights from current BYOD practices. Methods A comprehensive gray literature review was conducted, which followed the stepwise guidelines and quality assessment criteria set out by Garousi et al. The searched literature included tier 1 sources such as health care cybersecurity market reports, white papers, guidelines, policies, and frameworks as well as tier 2 sources such as credible and reputed health IT magazines, databases, and news articles. Moreover, a deductive thematic analysis was conducted to organize the findings based on Schlarman’s People Policy Technology model, promoting a holistic understanding of hospitals’ BYOD security issues and solutions. Results A total of 51 sources were found to match the designed eligibility criteria. From these studies, several sociotechnical issues were identified. The major challenges identified were the use of devices with insufficient security controls by hospital staff, lack of control or visibility for the management to maintain security requirements, lack of awareness among hospital staff, lack of direction or guidance for BYOD usage, poor user experience, maintenance of legal requirements, shortage of cybersecurity skills, and loss of devices. Although technologies such as mobile device management, unified endpoint management, containerization, and virtual private network allow better BYOD security management in hospitals, policies and people management measures such as strong security culture and staff awareness and training improve staff commitment in protecting hospital data. Conclusions The findings suggest that to optimize BYOD security management in hospitals, all 3 dimensions of the security process (people, policy, and technology) need to be given equal emphasis. As the nature of cybersecurity attacks is becoming more complex, all dimensions should work in close alignment with each other. This means that with the modernization of BYOD technology, BYOD strategy, governance, education, and relevant policies and procedures also need to adapt accordingly.

[1]  Shibo TO BE INDEPENDENT , 2000 .

[2]  Steven Schlarman,et al.  The People, Policy, Technology (PPT) Model: Core Elements of the Security Process , 2001, Inf. Secur. J. A Glob. Perspect..

[3]  J. Fereday,et al.  Demonstrating Rigor Using Thematic Analysis: A Hybrid Approach of Inductive and Deductive Coding and Theme Development , 2006 .

[4]  D. Moher,et al.  Preferred Reporting Items for Systematic Reviews and Meta-Analyses: The PRISMA Statement , 2009, BMJ : British Medical Journal.

[5]  Stewart Kowalski,et al.  ST(CS)2 - Featuring socio-technical cyber security warning systems , 2012, Proceedings Title: 2012 International Conference on Cyber Security, Cyber Warfare and Digital Forensic (CyberSec).

[6]  Jennifer E. Moyer Managing Mobile Devices in Hospitals: A Literature Review of BYOD Policies and Usage , 2013 .

[7]  P. Coyte,et al.  Replacing Ambulatory Surgical Follow-Up Visits With Mobile App Home Monitoring: Modeling Cost-Effective Scenarios , 2014, Journal of medical Internet research.

[8]  Carolyn Adams One office, three champions? Structural integration in the office of the Australian Information Commissioner , 2014 .

[9]  Jill Schlabig Williams Left to their own devices how healthcare organizations are tackling the BYOD trend. , 2014, Biomedical instrumentation & technology.

[10]  Chris W. Clegg,et al.  Advancing socio-technical systems thinking: a call for bravery. , 2014, Applied ergonomics.

[11]  C. Gwaltney,et al.  “Bring Your Own Device” (BYOD): The Future of Field-Based Patient-Reported Outcome Data Collection in Clinical Trials? , 2015, Therapeutic innovation & regulatory science.

[12]  Benjamin L. Schooley,et al.  Patient-Provider Communications in Outpatient Clinic Settings: A Clinic-Based Evaluation of Mobile Device and Multimedia Mediated Communications for Patient Education , 2015, JMIR mHealth and uHealth.

[13]  M. Fine,et al.  Veteran, Primary Care Provider, and Specialist Satisfaction With Electronic Consultation , 2015, JMIR medical informatics.

[14]  Adam Landman,et al.  A Mobile App for Securely Capturing and Transferring Clinical Images to the Electronic Health Record: Description and Preliminary Usability Study , 2015, JMIR mHealth and uHealth.

[15]  Nima Zahadat,et al.  BYOD security engineering: A framework and its analysis , 2015, Comput. Secur..

[16]  S. Dalton-Brown Healthcare in Australia , 2016, Cambridge Quarterly of Healthcare Ethics.

[17]  Mahmood Hussain Shah,et al.  Information security management needs more holistic approach: A literature review , 2016, Int. J. Inf. Manag..

[18]  A. Pelletier,et al.  A Mobile App Development Guideline for Hospital Settings: Maximizing the Use of and Minimizing the Security Risks of "Bring Your Own Devices" Policies , 2016, JMIR mHealth and uHealth.

[19]  R. Adams,et al.  Shades of Grey: Guidelines for Working with the Grey Literature in Systematic Reviews for Management and Organizational Studies , 2017 .

[20]  K. Scott,et al.  Doctors’ use of mobile devices in the clinical setting: a mixed methods study , 2017, Internal medicine journal.

[21]  M. Levin-Epstein The US Department of Health and Human Services Awards Grants to Protect Against Cybersecurity Threats , 2017 .

[22]  A. Guilmain Consent is Becoming A Topic of Conversation Again: Overview of The Annual Report of The Office of The Privacy Commissioner of Canada , 2017 .

[23]  M. Jalali,et al.  Cybersecurity in Hospitals: A Systematic, Organizational Perspective , 2018, Journal of medical Internet research.

[24]  L. Coventry,et al.  Cybersecurity in healthcare: A narrative review of trends, threats and ways forward. , 2018, Maturitas.

[25]  Vahid Garousi,et al.  Guidelines for including the grey literature and conducting multivocal literature reviews in software engineering , 2017, Inf. Softw. Technol..

[26]  Kathleen Gray,et al.  BYOD in Hospitals-Security Issues and Mitigation Strategies , 2019, ACSW.

[27]  Masike Malatji,et al.  Socio-technical systems cybersecurity framework , 2019, Inf. Comput. Secur..