Medicine is Mobile. What Does That Mean for Security?

“New medicine is mobile, miniature and you can play angry birds on it. But what does that mean for security and privacy?” (Jo Ellen Whitney of law firm Davis Brown)

The Massachusetts Eye and Ear Infirmary (MEEI) received a $1.5 million lesson in HIPAA and mobile device security earlier this month. Not because MEEI lost patient protected health information (which it did), but because it did not have adequate protections in place for mobile devices. Adam Greene and Rebecca Williams (Davis Wright Tremaine) provide the context:

“A physician affiliated with MEEI was lecturing in South Korea when his personal laptop was stolen, containing protected health information of about 3,500 patients/research participants. [T]he laptop allegedly was password protected and contained a ‘LoJack’ tracking device that indicated that … software needed to access the PHI was not installed. When it was determined that the laptop could not be retrieved, its hard drive was remotely wiped. Accordingly, the risk from the breach seems very low.

What the HHS Office for Civil Rights (‘OCR’) investigation revealed, however, is that MEEI allegedly did not have an adequate risk assessment or safeguards in place with respect to electronic PHI that is created, received, transmitted, or maintained on portable devices.”

What can the rest of the healthcare world learn from MEEI’s lesson? Plenty:

Greene and Willliams (Davis Wright Tremaine):

  • “Security for portable devices requires special attention. Don’t forget laptops, tablets, mobile phones, PDAs, and the like in both the risk analysis and the resulting policies, procedures, and processes.
  • ‘Bring your own device’ is a challenge for all organizations. Remember to include such devices in risk analyses and risk management.
  • It is not just the breach, but what is revealed in the subsequent investigation. We have seen relatively minor breaches result in significant penalties because of allegedly inadequate underlying risk assessments or safeguards.”

Whitney (Davis Brown):

  • “Auto destruct for lost or missing devices;
  • Ensure consistent security configuration;
  • Centrally log/manage distribution of devices”

M. Daria Niewenhous and Dianne Bourque (Mintz Levin):

  • “Encrypt laptops and other portable devices.
  • Keep track of portable devices.”

Read the updates:

Follow @HIPAAWatch on Twitter>>