Last year, a stolen iPhone cost Catholic Healthcare Services of the Archdiocese of Philadelphia $650,649. Yes, a single iPhone. And no, it wasn't jewel encrusted or wrapped in a pure platinum case. It was a run of the mill iPhone that happened to contain the protected health information (PHI) of 412 nursing home residents. Unfortunately, the iPhone in question was neither encrypted, nor password protected. The combination of PHI and lack of secure configuration meant a huge (and costly) HIPAA violation.
The Office for Civil Rights (OCR), which is part of the Department of Health and Human Services (HHS), is the governing body that maintains and enforces HIPAA regulations. In this case, OCR's investigation found that the organization failed to implement the protections required by the HIPAA security rule, specifically, they lacked any control over the device, including password protection, encryption, and the ability for the organization to wipe corporate data off of the device.
Despite these being very basic security controls, this type of scenario is far too common. The tools commonly used to solve these issues, MDM products, suffer from major deployment challenges and employee privacy concerns. The result is that employees push back aggressively against having "IT big brother" on their devices, and often times win. That win comes at a cost - a ticking time bomb of non-compliance.
In this case, OCR levied a massive fine of $650,000 against the organization (plus the high costs of credit monitoring services, lost business as a result of bad press, and more). The extra $649 in this post's title is the far smaller cost to replace the iPhone itself, less than 0.1% of the overall cost!
Fortunately, the next generation of secure mobility solutions have hit the market. Initially focused specifically focused on cloud apps, cloud access security brokers (CASB) have evolved to provide protection for all data that's moved beyond the firewall, across both cloud applications and BYOD. The best part? They are entirely agentless meaning employee pushback and deployment challenges are a thing of the past.