La Trobe University – A new study led by Dr. Tafheem Wani, a La Trobe lecturer in Digital Health Information Management, showed that clinicians’ phones (and other digital devices) contained sensitive patient information, which was not often protected by antivirus software and passcodes.
Dr. Wani said the use of personal devices for work purposes, known as “bring your own device” (BYOD), had significantly increased in hospitals because clinicians needed efficiency and mobility while at work.
“Some clinicians, particularly doctors, work in several different hospitals, from public to private, and also in different health settings, so a ‘work phone’ does not make sense to them when working in a highly mobile environment,” Dr. Wani said.
“Continuing to use personal devices without proper security measures means patient data is at high risk of being leaked or hacked.
“We found that patient data security depends on clinicians’ actions and security behavior. BYOD devices may lack essential security measures such as antivirus software, passcodes and encryption.”
Dr. Wani said clinicians may also have patient data stored together with their personal data, which could lead to inadvertently leaking confidential patient information to their family and friends.
“The main concerns are the risk of a malware intrusion into hospital networks leaving the sensitive data open to hackers; inadvertent patient data sharing; and overly complex security protocols implemented by hospitals, which often drive clinicians to adopt insecure workarounds,” Dr. Wani said.
“We also found that hospitals lacked dedicated BYOD policies and training, resulting in unsafe practices.”
Dr. Wani said to reduce the leaking of sensitive patient data, clinicians needed specialized BYOD security training, which should be promoted and incentivized by hospitals.
“This study emphasizes the importance for hospitals to establish a strong cybersecurity culture with extensive communication between clinical and technical staff, where both data security and clinical productivity are treated as top priorities,” he said.
Dr. Wani said this research offered actionable recommendations to guide hospitals in crafting secure and effective BYOD strategies.
“Addressing the cybersecurity risks posed by personal devices is critical for safeguarding patient data and maintaining trust in health care systems,” he said.
For this study, now published in the International Journal of Medical Informatics, 14 interviews were conducted among Australian hospital-based clinicians, but Professor Wani said the problem was widespread. He led previous studies on this topic, which included a literature review to identify BYOD security issues and mitigation strategies in hospitals.
He also supervised surveys and interviews with IT managers, technology leaders, and policymakers in Australian hospitals to look at security practices, challenges in implementation, and other factors influencing BYOD decisions. The surveys were conducted among 28 health care services and hospitals covering more than 100 hospitals across Australia.
More information: Tafheem Ahmad Wani et al, BYOD security behaviour and preferences among hospital clinicians – A qualitative study, International Journal of Medical Informatics (2024). DOI: 10.1016/j.ijmedinf.2024.105606
Provided by La Trobe University
