This article can also be found in the Premium Editorial Download "Pulse: Penn Medicine’s approach to managing BYOD and security."
Download it now to read this article plus other related content.
The bring-your-own-device, also known as BYOD or consumerization, era is upon us. CIOs familiar with BYOD security we’ve interviewed at HIMSS and the PHI Protection Network tell us that there’s no way to stop it, you can only contain it. If you’re lucky.
While presenting the risks of alloying BYOD to senior hospital leadership don’t forget the biggest risk of all: Inaction or an outright ban. Employees will use their smartphones to text each other about patient care matters, which probably won’t amount to HIPAA-compliant practices. They’ll email patient data to each other. Physicians will set up rogue wireless access points to support devices they bring in, opening up your network to unsavory outside entities who cannot believe their good fortune in finding a backdoor to financial and medical identity theft.
Without policies to enforce and security software to monitor devices, lock down the network, encrypt data and remotely wipe lost or stolen devices, the cost of inaction could very well be a data breach in your company’s near future. The costs of a data breach including detection, remediation, support for patients harmed and investigative activities, federal fines, possible civil litigation and overall harm to a health care provider’s reputation are potentially staggering.
That’s becoming more and more evident as the HIPAA omnibus rule goes into effect in late September. The new regulation not only brings stronger, more specific privacy and security requirements to health care providers and their business-associate partners, but it also trips off a new system of audits. Even if your facility hasn’t experienced a data breach, HIPAA auditors may drop by for an in-depth review of your patient data protection strategies.
One piece of the HIPAA rule has yet to be established: What percentage of the fines the patient who reported HIPAA violations to federal government will receive, sort of a whistleblower reward. Rest assured, that piece of HIPAA’s update for the digital age should be incentive enough to get senior leadership buy-in for IT security—and a more HIPAA-compliant technology infrastructure.
This was first published in May 2013