How Your Own Laptop or Smartphone Can Wreak Havoc at Work

Paul Cerrato, MA

April 03, 2013

The Security Risks Are Real

Although such innovative apps offer convenience and mobility, Kvedar emphasizes the need for security as well. To avoid having employees' identity stolen or snared by corrupted Angry Birds apps, infected e-mails, and phishing scams, medical practices need to think proactively.

At Partners Healthcare, for instance, employees routinely get a message on their mobile device to change their password at regular intervals. If Kvedar wants access to email on the Partners network, he has no choice but to comply. And if by chance he were to lose his smartphone or tablet in the mall, he's covered. "If someone tries to log on and fails 10 times, it will automatically wipe itself clean," eliminating any sensitive patient data -- and the risk for steep HIPAA-related fines.

Like many other experts in healthcare IT, Kvedar drove home the need for encryption on every device that touches a practice's records, a fact that too many practices continue to ignore. Encryption converts the information entered into a device into a string of characters, called ciphertext, that cannot be easily deciphered by anyone who doesn't have the key to break the code. Anyone authorized to read the protected text uses a decryption key or algorithm to unlock the original message. The more complex the encryption system is, the harder it is for hackers to break in, but as you might expect, the more expensive the protection becomes.

In 2012, Massachusetts Eye and Ear Infirmary (MEEI) and Massachusetts Eye and Ear Associates had to pay $1.5 million to the US Department of Health and Human Services (HHS) because a doctor's unencrypted laptop was stolen and patient data were breached. And in the case of MEEI, the problem went deeper than just a lack of encryption. The HHS incident report pointed out that the organization had not done an ongoing risk analysis to determine where their data network might require shoring up.^[3]

This lack of preparedness is a recurring theme among many small to medium-sized practices. Steve Collignon, chief information Security Officer at Cardinal Health, a healthcare services company specializing in distribution of pharmaceuticals and medical products, says, "Doctors tend not to care too much about security...Their number 1 goal is treating the patient, not securing the device."

Tools That Will Help Boost Your Security

Although that priority should never change, physicians need to place security higher up on the to-do list if their practice hopes to avoid costly fines. Collignon mentions several technological tools that can address these issues. Among your options are mobile device management (MDM) software, including systems made by Good Technology and Symantec, says Collignon.

Before considering such solutions, however, hospital administrators or physicians have to decide whether they want the practice to own all the mobile devices that their providers use to access patient data, or whether they will allow doctors to connect with their own devices. In general, practice-owned devices can be made much more secure than personal devices. With that in mind, some practices will opt for the safest approach and simply insist on no BYOD.

The decision to forbid or allow personal devices into a medical practice depends on its financial resources and technological capabilities. Adequate security can get expensive, and a practice with limited resources has to weigh those costs against the pushback from staff physicians who want to use the own device. On the other hand, if you already have a contract with a computer services company, it may be able to provide the security services you need. If the practice has 1 or more tech-savvy clinicians on staff, you may even be able to secure BYOD devices without bringing in outside vendors.