How to separate work and personal data when using your own devices

As Samsung Business Insights notes, personal apps, downloads, and browsing activity often operate with weaker security controls, increasing exposure to malware, phishing attempts, and data leaks. A compromised personal app can create a pathway into work email, documents, credentials, and internal systems.

Reporting by Cybernews shows that the bring your own device (BOYD) trend has expanded beyond smartphones to include laptops and personal computers, with Ivanti finding that BYOD was practiced at 84% of organizations globally, even where it was formally prohibited. Research published in JMIR Human Factors by Wani, Mendoza, and Gray reinforces this specifically within healthcare, finding that a 2021 survey of Australian hospital clinicians revealed that 87% of respondents used personal devices for work-related hospital tasks. Their study also shows that clinicians frequently prioritise immediate patient care over IT security protocols.

The solution is not to ban personal devices, instead, organizations must invest in structured separation which creates a clear, enforceable boundary between the personal and professional on the same device.

Read also: Challenges and advantages of Bring Your Own Device (BYOD)

Mobile device management (MDM)

The foundation for BYOD data separation in healthcare is a Mobile Device Management (MDM) or Enterprise Mobility Management (EMM) platform. These solutions allow your IT department to create a secure, managed container on personal devices, a dedicated workspace that is isolated from personal apps and data.

Within this managed container, your organization can enforce policies including:

• Encryption of all work-related data
• Remote wipe capability for the work partition only
• Restrictions on copy-paste between work and personal apps
• Mandatory multi-factor authentication for work access
• Automatic lock timeouts on the work profile

When an employee leaves the organization or a device is lost, IT can wipe only the work container without touching personal photos, messages, or applications. It is worth noting, however, that MDM alone does not resolve the challenge. As cybersecurity professionals cited by Cybernews point out, even with MDM and endpoint detection tools in place, organizations are still exposed to variables they cannot fully control on unmanaged devices including outdated operating system patches, conflicting software, and hardware-level vulnerabilities. For regulated industries like healthcare, this can make compliance difficult to maintain.

Learn more: What is mobile device management?

Device-level features that support data separation

Devices staff carry may already include built-in tools that support work-personal separation. Samsung Business Insights provides several features available on Galaxy devices that are relevant to healthcare BYOD environments:

Android Work Profile sequesters all business data in a fully managed workspace, allowing IT teams to secure corporate apps without accessing personal content. Secure Folder stores work apps, documents, and files in an encrypted, access-controlled space keeping sensitive information isolated even when new personal apps are installed or the device is shared.

At the device security level, features such as remote locate-and-wipe capability, protection against installs from untrusted sources, and alerts when public Wi-Fi connections appear unsafe all contribute to a more resilient BYOD posture. As the Samsung Business Insight article notes, the goal is "flexibility for employees without compromising protection."

The human side of device security

One of the insights from the healthcare cybersecurity research is that BYOD security cannot be solved by technology alone. Wani, Mendoza, and Gray argue that existing BYOD security frameworks in healthcare have a predominant focus on technical controls such as access management and encryption without adequately addressing clinician behaviour, organizational culture, and workflow integration. This technocentric gap, they note, has been directly linked to increased vulnerability to cyberattacks.

Their research, which involved both IT managers and clinicians at a public metropolitan hospital, produced a maturity model spanning three dimensions:

• Technology — including identity and access management, device security, network security, and secure clinical communication platforms
• Policy — covering BYOD strategy, regulatory compliance, incident response, and governance
• People — addressing security awareness training, stakeholder involvement, usability, and security culture

When the model was piloted at the hospital, the overall BYOD security maturity score was just 2.04 out of 5. The policy dimension scored the lowest at 1.85, and key gaps included identity and access management, clinical communication security, and governance transparency. The finding shows that for many healthcare organizations, BYOD security is still at an early stage.

This is supported by Cybernews reports that show a survey by Diversified found that 89% of employees use personal devices or apps for work because they find them easier to use and that three-quarters of those employees acknowledge that company-issued devices are better secured, yet still prefer their own.

Policy Controls

Every healthcare organization operating a BYOD programme must have a clear, written BYOD policy that is acknowledged by all staff accessing work systems on personal devices. This policy should address the following areas:

• Prohibited applications: Staff should be prohibited from storing patient data in personal cloud drives (Google Drive, personal Dropbox) or communicating clinical information through unapproved messaging apps like WhatsApp.
• Approved channels only: All work communication must route through organization-approved tools. Encrypted clinical messaging platforms, organizational email, and approved telehealth applications.
• Incident reporting obligations: Staff must know that any suspected breach must be reported to IT within a certain timeframe.

Wani, Mendoza, and Gray found that in the pilot hospital, the absence of a formal BYOD strategy led to staff relying on a patchwork of tools, with clinicians routinely using personal apps such as WhatsApp and Messenger for clinical communication and file sharing in the absence of clearly defined, user-friendly alternatives. As they note, this is a predictable consequence of policies misaligned with clinicians' workflow and productivity needs.

Furthermore, privacy and employment law experts cited by Cybernews warn that BYOD policies which require the installation of monitoring or management software on personal devices raise concerns for staff around surveillance, access to personal data, and the blurring of professional and personal boundaries. A policy should be transparent about what monitoring is and is not taking place, and should seek to protect employee privacy alongside organizational data.

Learn more: Bring your own device (BYOD) policies in healthcare

Training and culture

Wani, Mendoza, and Gray found that a "convenience-first environment" was one of the primary cultural barriers to BYOD security in hospitals. Workshop participants in their study specifically cited resistance to multi-factor authentication and mandatory updates as common friction points. Their recommended response includes change management programmes, visible leadership commitment to cybersecurity, and the use of clinical "change champions" to advocate for security measures within their own departments.

Cybernews showed this from a broader industry perspective, noting that the gap between IT policy and actual employee behaviour is often driven not by bad intent, but by frustration with tools that are outdated, restrictive, or poorly suited to real workflows. When employees find that personal technology simply works better than what their organization provides, they will use it regardless of policy.

Organizations should invest in regular, role-relevant security awareness training. This training should:

• Use realistic scenarios familiar to clinical and administrative staff
• Clearly explain the consequences of breaches
• Be delivered in short, digestible formats that respect the demands on clinical time

Steps to get started

1. Audit current device usage: Understand how many personal devices are accessing work systems and through which applications.
2. Select and deploy an MDM solution: Prioritise platforms with strong healthcare compliance support and the ability to manage both iOS and Android.
3. Draft or update your BYOD policy: Engage legal, compliance, clinical leads, and HR to ensure the policy is comprehensive, enforceable, and clearly communicated.
4. Run staff training: Launch targeted awareness sessions before rolling out new controls, so staff understand the changes and the reasons behind them.
5. Review and iterate: Schedule quarterly reviews of your BYOD programme, incorporating incident reports, staff feedback, and evolving regulatory guidance.

Wani, Mendoza, and Gray offer a structured approach:

• Assess your current maturity across technology, policy, and people dimensions;
• Identify priority domains;
• Set measurable improvement goals;
• and Recognise that BYOD security management is an ongoing cycle, not a one-time project.

FAQs

Can an employer access an employee's personal data if a personal device is used for work?

When MDM software is installed, the organization can manage and monitor the work profile, but a properly configured MDM solution should have no visibility into personal apps, photos, or messages.

What happens to work data on an employee's personal device after resignation or termination?

With an MDM solution in place, an organization's IT team can remotely wipe only the work partition.

Is BYOD legally compliant in the United States?

BYOD is lawful, but healthcare organizations must ensure that any patient data processed on personal devices meets the requirements of HIPAA and any applicable state-level privacy legislation.