Health IT leaders will benefit from BIDMC's transparency over data breach

The mark of a great organization is not perfection. Rather, it's how in how leaders respond in the wake of inevitable mistakes, problems and PR nightmares. That's exactly what Beth Israel Deaconess Medical Center did when a stolen laptop caused a data breach that affected 3,900 patients.

Hospitals and health systems in general are adept at identifying--and perhaps more importantly preventing--data breaches on hard-wired devices. But privacy and security of mobile and wireless devices is a newer and more challenging concern.

When BIDMC discovered the breach, it was transparent about the incident. But CIO John D. Halamka took that transparency one step further when he outlined the organization's plan to address mobile device security--and then put it online for the world to see.  

The post is rich with information about how to protect mobile devices from data breaches and how to launch an internal privacy and security campaign. (For more ideas, be sure to check out 5 ways to survive a hospital data breach by FierceHealthcare's Karen Cheung.)

Halamka's post outlines the notice the organization sent out to employees in the wake of the breach, letting them know that the information services department would be conducting an "aggressive campaign to ensure every mobile device is encrypted." The program is mandatory for all staff and students, and is required for any mobile device used to access BIDMC-related systems, programs or documents, including email, clinical applications and administrative documents such as financial spreadsheets, grant information or staff lists.

He outlines step-by-step what employees must do and what IS will do in two phases--the first is to secure BIDMC-owned laptops, iPads and other tablets. The second will extend the program to other models of institutionally owned tablet computers as well as personally owned laptops and tablet computers that are used to access BIDMC-related data. IS will periodically check devices to make sure safeguards are in place and require employees to regularly change passwords on all devices and attest that they have done so.

"It is no longer sufficient to rely on policy alone to secure personal mobile devices," Halamka writes. "Institutions must educate their staff, assist them with encryption, and in some cases purchase software/hardware for personal users to ensure compliance with Federal and State regulations."

Halamka promises to continue to update the HIT community on his blog, sharing lessons learned about securing mobile device.

HIT leaders at other organizations should be sending him thank-you notes. - Gienna