By John Oncea, Editor
What is the cost of a security breach? For Hospice of North Idaho (HONI), it was $50,000.
According to SC Magazine, the Hayden, Idaho-based hospice paid this amount “to avoid more costly penalties if it would have been found in violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA)” as a result of the theft of an unencrypted laptop containing the electronic protected health information (ePHI) of 441 patients from an employee's vehicle. By John Oncea, editor, Healthcare Technology Online
Follow John on Twitter: @buck25
Companies that don’t plan now may pay the cost as more and more employees use their mobile devices for work
What is the cost of a security breach? For Hospice of North Idaho (HONI), it was $50,000.
According to SC Magazine, the Hayden, Idaho-based hospice paid this amount “to avoid more costly penalties if it would have been found in violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA)” as a result of the theft of an unencrypted laptop containing the electronic protected health information (ePHI) of 441 patients from an employee's vehicle.
The December 2012 charges against HONI resulted in it being the first health care organization to be fined for sustaining a breach that affected fewer than 500 individuals and were a fraction of those paid by Blue Cross Blue Shield of Tennessee ($1.5 million) and the Alaska Department of Health and Social Services ( $1.7 million) for similar offenses.
As more and more employees use own computing devices – such as smartphones, laptops and PDAs – the risk of theft grows with it. This report released by Cisco mConcierge indicates 89% of healthcare employees use their personal smartphone for work, but 41% don’t password protect and over half access unsecured or unknown Wi-Fi networks. The report concludes that those “who reported owning a device they classified as a smartphone jumped 12 percent in 2012” and “as that number grows BYOD will cause security breakdowns and cost companies money.”
The cost can’t completely be measured in dollars, however. CSC published this article on the perils of BYOD, in which it noted “There are also intangible costs associated with compromised trust and reputation, as well as other significant costs, including harm to health, or even death.” CSC advises organizations to “design a secure way to allow employees to use their own equipment to do their work without increasing risk to the organization.”
But what of organizations that don’t want or aren’t ready to embrace BYOD? Health IT Outcomes Editor In Chief Ken Congdon addresses that issue in this article detailing a discussion that followed his BYOD presentation at HIMSS13 in which a few IT professionals told him “that since the mobile device market is so fragmented, it is going to prove too difficult to effectively secure personally- owned devices from a variety of manufacturers based on multiple operating systems.” These individuals feel the inevitable chaos will force “providers back to corporate-controlled mobile device initiatives based on Windows 8 or another standard mobile platform.”
Congdon’s response: “I couldn’t disagree more.”
Computerworld backs Congdon’s opinion, referring to the claims of some that there aren’t BYOD concerns as “just blissful ignorance.” The article predicts that “companies will demand and get more control over devices through stricter policy enactment and enforcement.” It concludes by saying “By 2015, BYOD openness will be whittled away by more enterprise controls through tighter policies and enforcement, and by an ability of the devices to be more effectively managed and secured without the need for companies deploying tactical BYOD-driven MDM.”