2012 laptop breach helped Beth Israel's security during Boston Marathon bombing

In one sense, a stolen laptop that cost Beth Israel Deaconess Medical Center more than $500,000 in lawyers and crisis experts paid off in helping the hospital deal with security issues in the aftermath of the Boston Marathon bombing in April.

Following the breach, which occurred in May 2012, the hospital brought in consulting firm Deloitte to help evaluate its privacy practices, an audit that CIO John Halamka described as a "public colonoscopy"--evaluating every aspect of how hospital employees use computers, according to an article published this week in Fast Company.

Deloitte's recommendations led to 26 new hires focused on data security and millions in costs to the hospital, plus external security audits for all its vendors.

New rules enacted as part of the security overhaul drew resistance from hospital staff, according to the article. Doctors' permissions changed as they changed positions within the sprawling health system. Some doctor's didn't see a problem with viewing unencrypted patient records on their iPhones. Nurses' work on home computers had to stop.

Halamka told Fast Company that in the efforts to teach security to doctors and nurses, he's dealt with confrontation and even hate mail.

But when the marathon bombing occurred, BIDMC was determined that neither the bomber's nor victims' medical records would be leaked to the media or used inappropriately. Identifying unconscious patients who weren't carrying wallets or purses proved to be just one challenge amid the chaos.

Those records were put under the hospital's highest level of security, which the article describes as "triple-secret reverse lockdown"--and no leaks were reported. The effort included new restrictions on access for other curious doctors who were not involved in treating the victims; every doctor, nurse and hospital employee had to explain their need to access the records.

What's more, according to the article, hospital employees repeatedly were reminded via BIDMC's intranet about the importance of protecting patient privacy, including not divulging patient information on social media sites, though conversations or phone calls.

Too often, security experts say, it takes a breach before healthcare organizations get serious about enacting a security plan. The marathon bombing posed a number of unusual security challenges for BIDMC--including that its engineers were located at its off-site data center when the city went into lockdown.

In July, The U.S. Department of Health & Human Services awarded $332 million to help cities and states enhance public-private planning for public health emergencies.

To learn more:
- read the full article in Fast Company