Dr. John Halamka, CIO of Beth Israel Deaconess Medical Center. Halamka, speaking on Tuesday's InformationWeek Healthcare Virtual Event, discussed the opportunities the bring-your-own-device movement affords IT managers and clinicians alike, as well as the risks and responsibilities now placed on CIOs' shoulders.
"Although CIOs would much rather focus on the cool apps of the future or that 3D holographic iPad, compliance and regulatory imperatives are a must do," Halamka said. Much of his presentation dealt with those imperatives and the accountability associated with them.
His take-home message on how to keep patient data safe was straightforward: "Policy is no longer enough."
Until recently, BIDMC clinicians had to follow a detailed policy that outlined procedures for password protection, encryption, device firewalls, time out periods, automatic wipes and the like if they were going to use their personal mobile device to access patient data.
[ Most of the largest healthcare data security and privacy breaches have involved lost or stolen mobile computing devices. For possible solutions, see 7 Tools To Tighten Healthcare Data Security]
Unfortunately, about a year ago an unsecured personal laptop containing sensitive data was stolen from one of BIDMC's doctors, costing the medical center hundreds of thousands of dollars in legal fees and forensic analysis. At that point, the institution decided that it had to go beyond policy and put specific technologies in place to secure all devices, Halamka said.
BIDMC's IT department initially shut down all smartphone email protocols, with the exception of Exchange Activesync, which lets IT managers enforce certain settings on a mobile device. Then, the team audited all BIDMC-purchased devices, tagging each of them and ensuring that their data was properly encrypted. Next, they turned to the personally owned devices being used to access the BIDMC network and encrypted the data on those devices, scanned for malware, and installed antivirus updates and patches as needed. Equally important, they required employees to attest to all the devices they use in the workplace, and to the fact that the sensitive data on them had been encrypted.
It was a big project given the age of some of the hardware and software. In addition to using Bitlocker and FileVault2, the BIDMC IT department had to install self-encrypting drives to secure some devices.
In total. BIMDC spent about $200,000 on the project, but as Halamka pointed out, it can cost an institution that much if it loses a single unsecured laptop.
Again, the lesson is clear: Don't wait until federal regulators come knocking at your door asking why you didn't secure a stolen iPad that contained HIPAA-related patient data. They don't want to hear that you had a policy in place and that you warned the doc to encrypt the device. Like it or not, accountability rests on your shoulders.
Join two prominent IBM healthcare executives, along with Dr. Carolyn McGregor, associate professor at the University of Ontario Institute of Technology, and Annamarie Saarinen, founder of the Newborn Foundation, to discuss how big data analytics is helping to improve outcomes and reduce morbidity and mortality among critically ill infants and ICU patients. This IBM-sponsored Webcast will take place on Dec. 17 at 1:00 p.m. EST. Register here.