CT 412 Unit 2 Assignment Information Security Policy Implementation Issues

Scenario:

Assignment Requirements:

• Two healthcare organizations have recently merged. 
• The parent organization is a large medical clinic that is HIPAA compliant. 
• The clinic recently acquired a remote medical clinic that provides a specialty service. 
• The remote clinic is organized in a flat structure, but the parent organization is organized in a hierarchical structure with many departments and medical clinics. 
• These organizations are in the process of aligning their operations. 
• You are asked to make major refinements to the organization’s cell phone use policy immediately.

Read the scenario carefully and then research examples of cell phone policies and implementation. Write a report citing examples of at least three successful cell phone policy implementations found in your research. Indicate how you would analyze your organization, and then how you would identify and finalize a cell phone use policy for the organization. In addition, provide a rationale as to what types of business challenges would be overcome or enhanced.

From my findings, there are many benefits to restricting cell phone use while in the work place, but also by not restricting use. The general consensus from what I have gathered is that many organizations allow use, but they sort of make policy based on what you can do. I looked at one hospital in particular, Union Hospital in Maryland, issues their employees company phones. These phones can be used while they are working for both business purposes as well as personal use. The idea behind this is that employees will leave their personal phones in their lockers or other locations while they are working and strictly use their work phone. In the event of an emergency or someone in their personal lives needs to get in contact with them, they can be reached at that number. The hospital monitors personal usage of the device and instills a policy of paying a fee for the phone if they were to go over their allotted service. Users can use their personal devices if it is an absolute emergency and they need to use it. Personal calls and texts can be placed while on breaks or lunches. The hospital also bans the use of the camera on the phone while using either their personal phones or company phone. Another source talks about the benefits of the use of mobile devices in the hospital and also how controlled devices can follow the policies from HIPPA as well as other confidential agencies.

It all depends on the organization in which the policy will be introduced. There are many companies that recognize the use of personal devices in the workplace, as long as there is no reduction in the work they are outing into their job. If I were in the healthcare industry and I was implementing a policy like this I would push more for the ability to use cell phones, whether they be personal, or company issued. I say this only because of the benefits they can have while in use with the day to day functions. Now, of course with whichever way you went, there would be restrictive policies that went into each use. There would be a push for confidentiality and HIPPA standards when using devices. I would recognize the restriction of use of certain functions of devices while in the hospital, with patients, near medical equipment, etc. Some hospitals allow employees to use their personal devices to access certain hospital applications they may use daily; there are security measures taken when doing this that would need to be looked into further and followed. Most likely thru MDM solutions or, by providing company devices that were managed by the IT staff of that building. It all depends on the function of the hospital as well. You would need to examine the day to day in if it is clearly essential for the use of a mobile device and if it is worth spending the resources and money to manage and support this service.

There are many issues that could be faced when implementing this type of policy. The main being are people actually going to follow it. The only turn key way of making sure the policy is followed is by fully controlling a employees personal device and work device. Of course, only one of these is legal and possible. You would need to look at the function at which these employees will be working. Would a personal device with limited access to hospital resources be enough, or will they need something where they can use it all the time and access more sensitive information? Another factor is the feasibility of either method. Most hospitals recognize this as best practice, that being the use of mobile devices in general. Phones you run into issues with legality and HIPPA regulations that could potentially put the hospital at risk for lawsuit. Patients could become exposed if a doctor or nurse use their device to take a selfie and post it online, with their vitals, themselves, or other records in the background. Having images of charts stored in these devices could be hacked and stolen. Also think about how difficult it could to implement a policy like this effectively without proper attention in such a large organization. There are a lot of things to evaluate when considering a cell phone use policy.