JMIR Publications

ABSTRACT

Background:

BYOD adoption in healthcare improves clinician productivity but introduces cybersecurity risks due to weak security controls, human error, and policy circumvention. Existing security frameworks and models are technocentric, while overlooking socio-technical factors like clinician behavior, workflow integration, and organizational culture. This misalignment reduces their effectiveness in healthcare settings. Additionally, hospitals vary in structure, resources, and BYOD usage, necessitating a flexible yet structured approach to assess security maturity and prioritize improvements, which is lacking in existing models.

Objective:

This study aims to develop and pilot a hospital BYOD security maturity model that integrates technical, policy, and human factors for a structured assessment and improvement of BYOD security in healthcare.

Methods:

This study employed a Mixed-Method Action Research (MMAR) approach to develop, refine, and pilot a hospital BYOD security maturity model. Built on a hospital BYOD security framework developed by the authors, the model was informed by quantitative surveys and qualitative interviews with IT managers and clinicians to assess BYOD security challenges and workflow impacts. The model was piloted at a public metropolitan hospital in Victoria, Australia, where technology managers and clinical stakeholders completed a maturity assessment survey, rating security practices and providing feedback. A 90-minute co-design workshop identified challenges and solutions for the top six priority domains. Data analysis included descriptive statistics and thematic analysis, refining the model for clarity and usability.

Results:

The model comprises 22 domains across three key dimensions: Technology, Policy, and People with 5 maturity levels - providing systematic progression towards improved BYOD security. The Technology dimension includes domains such as Identity, Access, and Authentication Management, Device Security, and Clinical Communication, ensuring technical controls align with hospital policies and workflows. The Policy dimension focuses on governance, covering areas like BYOD Strategy, Regulatory Compliance, and Incident Response, to establish clear security guidelines and enforcement mechanisms. The People dimension addresses human factors, including Security Awareness Training, Stakeholder Involvement, and Security Culture, fostering staff engagement and adherence to security protocols. A maturity assessment survey conducted at a public metropolitan hospital in Victoria, Australia, revealed an overall maturity level of 2.04. Key areas for improvement included identity and access management, clinical communication security, and governance transparency. A 90-minute co-design workshop identified challenges and proposed solutions for the top six priority domains. Recommendations included implementing single sign-on, defining a formal BYOD strategy, enhancing secure communication tools, and improving stakeholder engagement.

Conclusions:

The model can serve as a valuable tool for hospitals and policymakers, offering actionable recommendations to strengthen BYOD security. The pilot implementation demonstrated its practical applicability, helping the hospital identify security gaps and develop a roadmap for structured enhancements. Further validation across diverse healthcare settings will enhance its adaptability and long-term impact.