Crafting a BYOD policy for your hospital or health system? Start simply, include users in your planning committee, and expect problems.

That's the advice of IT security experts who have been through the process: Michael Boyd, chief information security officer for Providence Health & Services, a Seattle-based system with 32 hospital and more than 550 other sites; and Clark Kegley, assistant vice president of information services for the Scripps Health, a San Diego-based four-hospital system.

Speaking at the HIMSS Media Privacy and Security Forum last week in San Diego, Boyd said hospital executives charged with crafting a policy for mobile devices need to approach this not as a security concern, but as a new means of bringing technology into the workplace. In other words, work with the clinicians who are using their own devices, instead of against them.

"It's a behavioral thing," he pointed out. "It's all about people."

[See also: 5 ways to succeed at BYOD.]

More than 60 percent of all industries worldwide embrace BYOD, said Mac McMillan, CEO of the information security company CynergisTek and chairman of the HIMSS Privacy and Security Task Force. In healthcare, he said, that number stands at around 85 percent, with 92 percent of that number saying personal mobile devices are in use multiple times every day.

McMillan offered some sobering numbers as well: 41 percent of users in the healthcare space don't use a password to access their device, 52 percent access unsecured networks, and 52 percent say their devices are Bluetooth-enabled and on all the time.

"Basically they are a walking accident looking for a place to happen," he said.

That's why it's important, McMillan said, to get clinicians to buy into a BYOD policy that sets ground rules and penalties. He offered a five-point plan:

1. Start with a strategy – accept all devices or certain ones?
2. Establish an appropriate use agreement – no jailbreaking, no turning off security apps installed by the hospital or preventing remote management in case of an emergency. Make sure the users know what they can and can't do.
3. Containerization – develop a platform that separates the corporate apps from the personal ones, so that users can continue to store personal data on their devices and not interfere with their work responsibilities.
4. Monitoring – make sure the users know that the health system has the right to protect its interests on the personal device. That may mean remote-wiping the device of corporate information if it's lost or stolen, or monitoring certain functions while in use.
5. Expect that this isn't a foolproof policy – be flexible, expect mistakes, and be prepared to fix them.

Boyd pointed out that he's already learned that lesson.

"Four years ago nobody was thinking that doctors were going to show up in the operating room wearing video cameras as eyeglasses," he said, but Google Glass has emerged in the hospital four times.

Kegley advised those starting out to start small, with something that can be managed. At Scripps, this began with 4,000 Scripps-issued Blackberries, and a committee of clinician champions and hospital executives who worked together to lay the groundwork for expansion.

'The biggest challenge by far is that we were overthinking at first," he said. "Just secure what you must secure.

[See also: 'Ethical hacker' calls BYOD a nightmare.]

McMillan pointed out that most clinicians want to use their devices to access information or perform a clinical task in real-time, and aren't really concerned where the sensitive data goes after that task has been completed. That makes it easier to develop a platform that enables data to go through the device but doesn't reside on it, where it's more apt to be lost, stolen or misused.

As for the future. All three pointed out that BYOD may soon give way to BYOT – "Bring Your Own Thing' – as wearable sensors make their way into the market.

And McMillan offered one last bit of advice. Those device chargers in airports? Don't use them. They can very easily tap in and suck data out of the device.

By the looks of the faces in the audience, that wasn't a well-known warning.