by Brendon Nafziger
, DOTmed News Associate Editor | January 11, 2013
From the January 2013 issue of HealthCare Business News magazine
It first it seemed like the security prevention strategy worked. A doctor traveled to South Korea for a conference, and his laptop, which contained protected health information from his hospital, was stolen. But technology installed on the computer, called LoJack, wiped the hard drive clean as soon as it was connected to the Internet, keeping the information protected.
But what happened in those critical hours after the laptop was stolen but before it logged onto the Internet? Except for the thieves, nobody knows. As a result, the hospital had to file a breach report, and the U.S. Office of Civil Rights opened an investigation. Later, the hospital reached a $1.5 million settlement with the OCR and agreed to a threeyear “corrective action plan.”
In the settlement, the OCR cited a lack of a thorough and accurate risk assessment plan that covered personal devices, according to Adam Greene, a lawyer with Davis Wright Tremaine who shared this case during a recent HIMSS webcast about BYOD, or Bring Your Own Device, policies.
“The moral of the story: you can choose whether you have a BYOD policy. Unfortunately, you can’t choose whether to have a BYOD problem,” Greene said.
Change is coming
Mobile devices are ubiquitous in health care. A November 2012 survey from EPG Health Media found nine in 10 U.S. doctors own a smartphone. However, although they’re common, many hospitals don’t have strong policies for dealing with them. A recent report by the Ponemon Institute found while 81 percent of hospitals allowed BYOD, almost half said they don’t take any measures –- such as scanning for malware, limiting downloads of sensitive information or forcing providers to sign acceptable use forms –- to keep devices secure.
This is changing. Policymakers, hospital administrators and providers are all pushing for better BYOD management. In mid-December, the OCR unveiled a new campaign to encourage health care providers to be smarter about mobile device security. The agency outlined a high-level, five-step process facilities should go through: decide whether to allow BYOD, assess risks, identify a riskmanagement strategy with security safeguards, develop a policy and train staff.
“Ignoring BYOD does not make it go away,” Greene warned. “OCR has very high expectations for risk assessment.”
More than policy
But if hospitals allow BYOD, drafting new rules won’t, by themselves, solve their problems. As Dr. John Halamka, the CIO of Beth Israel Medical Center in Boston and the author of a widelyread blog about health IT issues, said in a recent presentation: “Policy isn’t enough.” Hospitals will likely have to turn to technology, too.