Even the best IT security policy can fail when users don't understand how to follow it properly. That was something Beth Israel Deaconess Medical Center in Boston found out recently after a stolen laptop could have exposed the personal health information of roughly 3,900 patients. Largely because of lax encryption practices, the records on the stolen device were vulnerable. The hospital's experiences following this
On May 22, 2012, a Beth Israel Deaconess Medical Center (BIDMC) physician's personal laptop containing patient information was stolen from his office, according to a BIDMC release. As data breaches go, the event's impact was relatively low. The number of patients affected was smaller than in some recent breaches, including one in April at the Utah Department of Health, in which hackers made off with the personal data of about 800,000 Utah Medicaid patients.
Read more on BYOD, data breach policies
How BYOD affects iPad virtualization
To avoid heavy penalties, plan for a data breach
Furthermore, the data that BIDMC lost mainly included administrative summaries. It did not contain Social Security numbers, complete medical records or any other financial data that could be used for fraudulent purposes, hospital officials said in the release.
While the overall impact of the breach might be relatively small, this incident highlights some common issues facing health care providers in this age of BYOD (bring your own device) policies. Even with the best-thought-out policies, vulnerabilities still can persist.
A health care organization's data breach risk will never completely disappear, said Dr. John Halamka, chief information officer at BIDMC. As long as physicians need to access information, opportunities for data thieves will continue. "You hope that you can put in place the policies and technical controls that enable the access required for clinical care while minimizing risk," he said. "Risk will never be zero because you need access to data and you need to get it on multiple devices in multiple locations -- you just need to minimize risk."
Toward that end, the hospital is launching new initiatives to help employees play a bigger role in protecting patient data. No major changes will be made to existing data-protection policies, as these protocols already are relatively strong, Halamka said. All employees who access data on a personal device must encrypt the data, password-protect the device, and set it up to log out automatically after a certain amount of idle time.
What is changing is BIDMC's support for these policies and their enforcement. The hospital is planning to launch educational initiatives in the coming months. It also will set up depots where employees can drop off hospital-purchased devices so IT staff can install appropriate security software and set the devices up to encrypt data automatically. Then the hospital will offer to set up personal devices purchased by employees.
Once all of this is completed, BIDMC will require employees to attest that they have not changed any security or encryption settings each time a device password is changed. "What you do is, you educate, you assist and then you require attestation," Halamka said. "It's basically education but then leaving the individual with a fully protected device and it's their responsibility to protect it thereafter."
Still, securing mobile devices in a health care setting can be difficult. The BYOD culture of most large health providers and the increasing use of mobile devices raise questions about how to secure the data on these tools, as well as to protect the devices themselves, said Lynne Dunbrack, an analyst with IDC Health Insights.
You hope that you can put in place the policies and technical controls that enable the access required for clinical care while minimizing risk.
Dr. John Halamka,
CIO, Beth Israel Deaconess Medical Center
Corporate-owned laptop and mobile devices can be fitted with tracking software, along with software that allows the hospital to wipe data or lock down the device if it is lost or stolen, Dunbrack said. This is not done with personal devices that doctors bring to the hospital, however. Additionally, many staff today use removable drives to bring files home, and the small physical size of these drives makes them vulnerable to loss or theft.
"What you saw at Beth Israel, that plays itself out on a daily basis, whether it's hospitals, physician practices or even health plans," Dunbrack said. "[BYOD] adds an extra level of complexity. It comes down to policy and how well employees follow it."
Further complicating the situation is the fact that many of the doctors who show up at a hospital each day are private physicians checking on their patients, not employees of the hospital. Since these medical professionals aren't employees, the hospital can't tell them what type of technology they need to run. Halamka compared the situation to a Toyota plant allowing workers to assemble whatever make of car they want.
Even with this drawback, allowing the BYOD environment has its benefits. Physicians can use their preferred devices to access information where and how they choose, and that can support patient care. Disallowing the use of personal devices might have certain security benefits, but it wouldn't work for a broad number of physicians who treat patients at the hospital, Halamka said.
Therefore, BIDMC will follow BYOD plans, but with limitations. One example is the technology mobile devices use to move email messages from exchange servers. The iPhone and other smartphones support ActiveSync, an email exchange protocol that is completely encrypted, Halamka pointed out. However, the iPhone also supports older protocols, such as point of presence and Internet Message Access Protocol, or IMAP, which cannot be encrypted.
"The notion of creating a policy that says, 'You cannot go buy the Apple product of your choice' isn't really going to work so well," Halamka said. "We'll tolerate BYOD, but within certain limits."
Eliminating BYOD altogether is not a viable option for most health systems, Dunbrack agreed. She acknowledged that some have taken this step, but described it as more "draconian." Physicians, particularly those with multiple admitting privileges, don't want to be made to use a different device at every hospital they send their patients to.
It might not be possible to ever completely eliminate the risk of a data breach, but health care providers have a strong financial incentive to minimize their exposure wherever possible. Estimates put the cost of data breaches at about $200 per record lost, Dunbrack said When thousands of patients' data is lost, the cost adds up quickly.
With the high cost associated with data breaches, investing in security can actually pay off later, Halamka said. "It just becomes so apparently clear to everyone that even if you have to spend a couple hundred thousand dollars to assist everyone to get their devices and conform it with policy, it's a bargain," he said.
Let us know what you think about this story; email Ed Burns, News Writer.