While technology undoubtedly has made accessing medical information much easier and faster, it also has also provided an increased potential for medical data breaches especially as health personnel begin to use unsecure mobile devices for personal and work use. With an increase in health care employees using their own tablets and smartphones in the workplace, many healthcare companies are considering adopting a Bring Your Own Device (BYOD) policy. However, many companies have failed to implement mobile data breach protection, breaking the HIPAA Security Rule which requires healthcare companies to perform a risk analysis of the processes by which they protect the confidentiality of electronic patient health information maintained by their organization. Companies are required to use the information gathered from the analysis to take measures to ensure the confidentiality of patient data and to reduce risks to a reasonable level. If companies don’t comply and there is a data security breach, they can be heavily fined by the U.S. Department of Health & Human Services.
Just recently, a teaching hospital and medical practice associated with a large university was fined $1.5 million in a data breach of patient information when a laptop computer containing unencrypted data on 3,621 patients and research subjects was stolen. Hospital and practice officials were found guilty of violating the HIPAA Security Rule by not implementing data protection and security on their mobile devices. The loss of laptops, portable storage gadgets like thumb drives and cell phones have already cost insurance companies, drugstores, medical practices and even a government health and social services department, millions of dollars in fines.
Unfortunately, this troubling trend doesn’t just affect the medical industry. In August 2012, Coalfire (a firm that provides IT audit and risk assessment) surveyed 400 individuals across North America covering a variety of industries about their company’s mobile device security practices. The data revealed that many organizations lack policies addressing mobile cyber security threats.
Key statistics from the survey:
- 84 percent use the same smartphone for personal and work usage.
- 47 percent don’t have a password on their mobile phone.
- 51 percent said their companies cannot remotely wipe data from mobile devices if they are lost or stolen.
- 49 percent said their IT departments have not discussed mobile/cyber security with them.
Clearly, companies are not doing enough to protect themselves and their employees from the expensive cost of a data breach. As mobile devices become popular and less expensive, workers will naturally want to use them for their jobs. Therefore, it is prudent for companies to adopt business data breach protection and security policies to protect not only their company data but also their pocketbook.