Technological innovation has delivered a mixed bag of problems and solutions to the healthcare sector in recent years. Some hospital administrators are already piecing together their vision of a new era in clinical efficiency, complete with electronic health record (EHR) systems and a fleet of shiny new iPads to carry test results and medical histories. However, others are finding that even the tiniest health IT oversight can send them five steps back in their attempts to move forward.
The Alaska Department of Health and Social Services (DHSS), tasked with managing state Medicaid cases, recently learned that lesson the hard way via a $1.7 million settlement.
Data on the loose
The story begins back in October 2009 when vandals broke into the car of a DHSS employee. During the incident, a USB flash drive - possibly containing sensitive medical information - went missing. In accordance with the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, Alaska officials immediately notified the U.S. Department of Health and Human Services' (HHS) Office for Civil Rights (OCR).
According to OCR officials, further investigation has now revealed that the risk management efforts and security controls in place at the DHSS were not up to par. Such shortcomings are more than simply frowned upon in the healthcare industry. By violating several provisions of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, the Alaska agency opened the doors to compliance sanctions that have now resulted in a $1.7 million settlement that includes elaborate plans for corrective action and long-term oversight.
"Covered entities must perform a full and comprehensive risk assessment and have in place meaningful access controls to safeguard hardware and portable devices," said OCR director Leon Rodriguez. "This is OCR's first HIPAA enforcement action against a state agency and we expect organizations to comply with their obligations under these rules regardless of whether they are private or public entities."
While the Alaska case ended with steep consequences, it grew from some pretty humble beginnings. And upon closer examination, it could could be just a taste of the potential dangers awaiting the fully-mobilized organization.
In the HHS report we saw devices traveling outside the office, employees unaware of security best practices and an auditor calling for data and hardware encryption. Starting to sound familiar to any BYOD program managers?
Losing a USB drive is scary enough, but the functionality of those dubious portable storage devices pales in comparison to that of a smartphone or tablet. And keeping with the Alaska case, I'm willing to bet the common criminal is going to be much more intrigued by an iPad sitting on a driver's seat than a flash drive that happened to be stuck in a laptop. With that said, companies need to start treating powerful portable devices like the new breed of security and compliance threats that they are.
Matching BYOD to HIPAA
As BYOD programs continue to find their way into even the most heavily regulated industries, mobile risk management has grown considerably in significance and complexity. And although security and compliance have their subtle differences, sound policy lays the foundation for each.
Federal regulators were quick to note that although the trigger incident was unavoidable, the DHSS didn't do itself any favors in preparing for potential disaster. Simply making employees aware of the risks that are sticking out of their USB port or sitting in their pockets can go a long way toward fostering consistent compliance. The fundamental risks remain the same, they have only shifted to a new platform. It is up to the IT department, then, to explain the meaningful differences contained in mobile risk management best practices by building on existing knowledge surrounding desktop compliance issues.
Technology teams must evolve their own activities as well by implementing the type of mobile device management tools that afford comprehensive visibility to ensure effective data governance and consistently compliant access control.