Security "Bits"

The Cost of PHI on Employee Mobile Devices? $2,000,000+

By Rich Campagna | May 2, 2014 at 9:00 AM

phi_and_byodTwo more healthcare organizations are opening their wallets to pay hefty fines to the HHS Office of Civil Rights for HIPAA violations. The offense? Unencrypted protected health information (PHI) on stolen laptops. These fines are neither unique, nor are they the maximum penalties allowed (which, BTW, can include jail time - yikes!).  

Making things even more difficult for IT inside of these organizations is that doctors and nurses simply don't want to slow down for security. The argument? Slowing down for even a second could make the difference between life and death. Simply put, it's often the desire of the Chief Medical Officer that trumps all. 

The two examples listed in the article reference stolen laptops, but there is an even greater threat slowly making its way into healthcare organizations - BYOD. Employees have smart phones and tablets, and are demanding use of them, just as they are in every other industry. Healthcare organizations have a difficult enough time making the case to secure PHI on managed laptops via encryption, can you imagine taking control of and encrypting a provider's personally owned mobile device? 

Making matters even more complicated, a doctor may work at two different hospitals, and have email accounts at both hospitals. It is technically impossible for the doctor to install two different MDM agents on his smart phone, ceding control of the phone to both hospitals at the same time.

So you're being coerced into supporting BYOD, but folding might come at a cost of millions in fines and potentially even jail time. That decision might be painful enough to land you in the ER!

Check out our whitepaper to learn more about the Bitglass prescription for BYOD security.



see all