Conversations about BYOD began long before the “smartphone” and “iPad” were household words. As mobile technology continues to evolve and become increasingly common, however, so does the dialogue around whether BYOD is appropriate and beneficial in the healthcare realm.

Choosing to allow a physician, nurse or other staff person to bring his or her personal mobile device to work and use it to access organization information is not a clear-cut decision. Issues like data security, patient privacy and the risk of invasive malware must be balanced with physician and staff convenience and satisfaction. 

Currently, BYOD is not ideal for the healthcare setting. When not well-considered, BYOD policies can present significant risk. According to a recent Cisco study, 90 percent of Americans employed in the healthcare industry use their personal smartphones for work, and 40 percent of those mobile devices were not password protected. Additionally, 51 percent of these workers used a public Wi-Fi hotspot with their smartphone that could have potentially posed a data breach.

[See also: 3 tips to avoid BYOD breaches.]

Basically, it doesn’t matter if you’re talking about a 1,000-bed hospital or a single practitioner’s office, the parameters for BYOD are the same: No matter who owns the device, the hospital or practice is responsible for the data on it and how it’s used. If there’s a liability, the hospital or practice is ultimately accountable.

Despite the potential shortcomings, some healthcare organizations feel the benefits of BYOD outweigh the risks. Practitioners tend to be passionate about their mobile devices. They know how to use them and they don’t need significant training to navigate new healthcare apps. Plus, having providers use their personal technology means one less expense for a hospital or practice to carry. By allowing physicians and nurses to bring their own devices to work, it gives them a choice in technology, which can help with user adoption, productivity and satisfaction.

[See also: 'Ethical hacker' calls BYOD a nightmare.]

If an organization chooses to go the BYOD route, there are several key factors to keep in mind to mitigate potential risks and ensure the organization realizes the strategy’s intended benefits.

1. It can’t be a free-for-all

Every organization choosing to pursue a BYOD strategy must implement appropriate policy – and the operative word here is must. At its core, a BYOD policy should serve as a safety net, preventing someone from merely hooking up his or her personal device and starting work. More specifically, it should cover the steps IT must take to limit risk. For instance, if a doctor or clinician is going to use his or her smartphone for work, IT should vet the device before the practitioner can access the network. IT can then load the device with software and VPN, make certain the device is compatible with current organization software and install firewalls for security, among a number of other safety measures. In fact, many organizations employ unified threat management software, which can locate and track a device if lost or stolen and, if necessary, wipe the data remotely.

To keep the IT team from being swamped every time the next latest and greatest mobile device hits the market, an organization may want to designate in its policy which devices are acceptable. Additionally, consider defining what your IT team is and isn’t expected to do. If the device stops working, for example, then the clinician has to come up with another device or use one that’s assigned by the hospital or practice.

2. Keep tasks appropriate to the device

Smartphones are only so big. It’s hard enough to develop efficient usability within healthcare technology when you’re working with a standard form factor, but when a physician with the latest device asks if he can download an EHR application to view on a screen smaller than most photographs, it’s not the most efficient use of the device.

IT professionals should be prepared to discuss the best uses of a mobile device. For example, if physicians are making their rounds, they can see their patient list on their smartphone, capture some charges, refill meds, place orders and even dictate in some circumstances. While an IT team can make these tasks manageable on a smaller screen, other functions may not be so adaptable. Reviewing clinical studies or examining patient images may be challenging, if not impossible, on a smaller screen. IT departments and physicians need to work together to determine what tasks can work on a mobile device and which should be saved for a laptop or PC.

3. Be open to new ideas

Some of the most effective work gets done in the hallways of a hospital or physician practice as an IT person happens to be passing by and a physician grabs him and says, “Hey, I just got this device. Have you guys thought about … ?” It goes the other way, too. The CIO has been testing a new mobile device and says, “Hey doc, what do you think about this? Would you carry this?” IT needs to be open to conversations with physicians and vice versa. There’s no one person in the driver’s seat any longer – clinicians, administrators and IT are all at the steering wheel together.

4. It’s about boundaries

BYOD, while potentially risky, can be workable if organizations set the appropriate boundaries. Choose the devices your organization can best support, create the right policy and procedure to ensure proper use and security and set expectations with clinicians about using their mobile devices. Having a shared understanding of the importance of preserving security and reducing risk is key to ensuring an approach that supports user needs while meeting organization requirements.

This article first appreared in mHealth News, a sister publication of Healthcare IT News.