Failing to protect your mobile network: The cost for hospitals

The following is an excerpt from an article published in the FierceHealthIT's eBook "Best Practices for Securing Your Mobile Network." Download the eBook here to read more.

When it comes to protecting your mobile network, you can either pay now ... or pay later.

It's not an inexpensive proposition to pony up for security measures. But a failure to spend money up front to protect patients' protected health information (PHI) can potentially cost an organization millions of dollars down the line.

Just ask John Halamka, chief information officer for Beth Israel Deaconess Medical Center, a 631-bed teaching hospital in Boston. Each of his facility's reportable privacy breaches has cost more than a million dollars and has involved a single stolen mobile device, he says.

As well as the cost of responding to a data breach, one of those thefts cost the medical center a $100,000 fine as part of a consent judgment with the Massachusetts attorney general in 2014. The AG's office alleged that BIDMC failed to protect the PHI of nearly 4,000 patients and employees and required the organization take steps to prevent future violations. As part of the judgment, Halamka says he is required to encrypt, track and audit every mobile device on the medical center's network.

The judgment stemmed from the theft of a private laptop computer. In May 2012, a person gained access to a physician's unlocked office on the medical campus and stole an unencrypted personal laptop computer left unattended on a desk. The laptop was not hospital issued but was used by the physician with the medical center's knowledge and authorization on a regular basis for healthcare business, according to a statement from the attorney general's office. The laptop contained the PHI of 3,796 patients and employees, despite the hospital's policy that requires employees encrypt and physically secure laptops containing personal information and PHI.

Beth Israel Deaconess, which boasts more than 1,200 physicians on its active medical staff, continues to put resources into protecting patient data, Halamka says.

Those efforts range from risk management and logging and-monitoring activities to awareness training and endpoint security. The hospital's board has authorized $3 million in capital and added five full-time employees to its operating budget for 2015-2016 because, as Halamka says, the cost of a single breach can easily spiral out of control.

To read the rest of this and other articles, download FierceHealthIT's free eBook, "Best Practices for Securing Your Mobile Network."