Inadequate cybersecurity measures and a tendency for doctors to use their personal phones for medical purposes is increasing the risk of sensitive patient data being hacked or accidentally leaked, according to a study from La Trobe University.
Personal devices used for work – known as bring your own devices (BYODs) – are increasingly used in hospitals to improve efficiency for medical professionals who work in multiple health settings. However often they are not sufficiently protected by antivirus software, passcodes, and encryption.
To conduct this study,1 Professor Tefheem Wani, a La Trobe lecturer in Digital Health Information Management interviewed 14 Australian hospital-based clinicians. He previously led a literature review to identify BYOD security issues and mitigation strategies in hospitals and has supervised surveys and interviews with IT managers, technology leaders, and policymakers in Australian hospitals to look at security practices.
Continuing to use personal devices without proper security measures means patient data is at high risk of being leaked or hacked
Patient Data at High Risk
“Some clinicians, particularly doctors, work in several different hospitals, from public to private, and also in different health settings, so a ‘work phone’ does not make sense to them when working in a highly mobile environment,” Prof Wani commented. “Continuing to use personal devices without proper security measures means patient data is at high risk of being leaked or hacked.”
Prof Wani’s team discovered that “patient data security depends on clinicians’ actions and security behaviour”. Along with a lack of security measures, clinicians may have patient data stored together with their personal data, which could lead to inadvertently leaking confidential patient information to their family and friends.
“The main concerns are the risk of a malware intrusion into hospital networks leaving the sensitive data open to hackers; inadvertent patient data sharing; and overly complex security protocols implemented by hospitals, which often drive clinicians to adopt insecure workarounds,” Prof Wani said.
“We also found that hospitals lacked dedicated BYOD policies and training, resulting in unsafe practices.”
Prof Wani said specialised BYOD security training is needed to reduce the leaking of sensitive patient data.
“This study emphasises the importance for hospitals to establish a strong cybersecurity culture with extensive communication between clinical and technical staff, where both data security and clinical productivity are treated as top priorities,” he said.
Prof Wani said the research offered actionable recommendations to guide hospitals in crafting secure and effective BYOD strategies.
Reference
- Wani TA, Mendoza A, Gray, K. BYOD security behaviour and preferences among hospital clinicians – A qualitative study, Int J Med Inform. 2024 Dec;192:105606. doi: 10.1016/j.ijmedinf.2024.105606.
