Status of bring-your-own-device (BYOD) security practices in Australian hospitals – A national survey

Objective The use of personal devices for work purposes (BYOD) is in high demand among healthcare professionals as it improves productivity. However, it can also lead to an increased risk of leaking sensitive patient information, being a major challenge for hospital management. The authors identified a dearth of empirical studies concerning BYOD security practices in hospitals. Hence, the aim of the paper was to report BYOD security practices in Australian hospitals through a national survey, first of its kind. Methods Online survey was conducted among hospital IT personnel, enquiring about BYOD security practices. 28 responses were collected (21 hospital groups; 7 standalone hospitals), representing approximately 100 public hospitals. Descriptive statistical analysis and cross-tabulation were carried out on survey data. Results BYOD was generally allowed across most device types (smartphone:100%; tablet:70%; laptop:70%) and operating systems (apple:100%; android:96%; windows:74%), but generally for the use of basic services such as email (100%). Majority of hospitals use generic security technologies (firewall:87%; two-factor authentication:70%; VPN:65%), whereas BYOD specific technologies (MDM:43%; containerisation:39%; UEM:4%) haven't been widely adopted. Less than half of the surveyed hospitals have a BYOD policy (45%). Staff education though provided in majority of surveyed hospitals (60%), is not comprehensive and regular. Lack of engagement with clinical staff for BYOD strategy development was also found (23%). Conclusion This research provided a comprehensive view of socio-technical BYOD security practices in Australian hospitals, highlighting its strengths, weaknesses, and the consequential implications, which can therefore provide useful insights for hospital IT executives and health departments.