A Sociotechnical Approach to Bring-Your-Own-Device Security in Hospitals: Development and Pilot Testing of a Maturity Model Using Mixed Methods Action Research.

BACKGROUND

Bring your own device (BYOD) adoption in health care improves clinician productivity, but introduces cybersecurity risks due to weak security controls, human error, and policy circumvention. Existing security frameworks and models are technocentric, while overlooking sociotechnical factors such as clinician behavior, workflow integration, and organizational culture. This misalignment reduces their effectiveness in health care settings. In addition, hospitals vary in structure, resources, and BYOD use, necessitating a flexible yet structured approach to assess security maturity and prioritize improvements, which is lacking in existing models.

OBJECTIVE

This study aims to develop and pilot a hospital BYOD security maturity model that integrates technical, policy, and human factors for a structured assessment and improvement of BYOD security in health care.

METHODS

This study used mixed methods action research to design and pilot a hospital BYOD security maturity model. Surveys and interviews with IT managers and clinicians shaped the model, which was trialed at a public metropolitan hospital in Victoria, Australia. Participants completed a maturity assessment and joined a 90‑minute co‑design workshop that prioritized 6 key domains and proposed improvements. Descriptive statistics and thematic analysis guided refinements to improve clarity and usability.

RESULTS

The model was initially developed with 22 domains across 3 key dimensions: technology, policy, and people, each structured across 5 maturity levels to support systematic progression in hospital BYOD security. On the basis of participant feedback during the refinement process, 2 training-related domains were merged, resulting in a final model with 21 domains. The technology dimension includes domains such as identity, access, and authentication management; device security; and clinical communication, ensuring technical controls align with hospital policies and workflows. The policy dimension focuses on governance, covering areas such as BYOD strategy, regulatory compliance, and incident response, to establish clear security guidelines and enforcement mechanisms. The people dimension addresses human factors, including security awareness training, stakeholder involvement, and security culture, fostering staff engagement and adherence to security protocols. A maturity assessment survey conducted at a public metropolitan hospital in Victoria, Australia, revealed an overall maturity level of 2.04. Key areas for improvement included identity and access management, clinical communication security, and governance transparency. A 90-minute co-design workshop identified challenges and proposed solutions for the top 6 priority domains. Recommendations included implementing single sign-on, defining a formal BYOD strategy, enhancing secure communication tools, and improving stakeholder engagement.

CONCLUSIONS

The model can serve as a valuable tool for hospitals and policy makers, offering actionable recommendations to strengthen BYOD security. The pilot implementation demonstrated its practical applicability, helping the hospital identify security gaps and develop a road map for structured enhancements. Further validation across diverse health care settings will enhance its adaptability and long-term impact.