Laptop Theft Spurs Encryption Ramp UpBeth Israel Deaconess Making Sure Mandate is Followed
Following the recent theft of a physician's unencrypted personal laptop computer, Beth Israel Deaconess Medical Center is stepping up efforts to make sure that its policy requiring encryption of all mobile devices, including personal ones used for work-related purposes, is actually followed.
The incident is a "teaching moment," says CIO John Halamka, M.D. "CIOs are not only responsible for protecting the data on computers and devices that are acquired, issued and managed [by a healthcare organization] but are also responsible for protecting the consumer end point" when personal devices are used for work, he says.
The Boston-based medical center has set up "encryption depots" that will be staffed for about 90 days, Halamka says. Six outsourced IT professionals have been assigned to encrypt iPads, tablets, laptops and any other employee-owned or medical center-issued mobile devices that are used by clinicians and others for clinical or administrative work - including checking work-related e-mail. That's because e-mails can have attachments, such as spreadsheets, that may contain patient information, he adds.
In addition to installing encryption on mobile devices that lack it, the medical center will update anti-virus software and will provide any other necessary software updates needed to protect data.
And in the months to come, employees will be asked to attest that they are maintaining the encryption and appropriate security software updates on mobile devices, whether they are personally owned or corporate-owned, Halamka stresses.
Breach as Catalyst
The ramped-up encryption enforcement program comes after the May 22 theft of a physician's unencrypted personal laptop from a Beth Israel Deaconess office. The device contained information on 3,900 patients, who are being notified of the incident.
Data on the doctor's laptop included brief summaries of medical information used for administrative purposes within the medical center, but the device did not store complete medical records, patient financial information or Social Security numbers, according to a statement from the medical center. Also included on the stolen laptop were approximately 230 administrative employees' records.
Although the stolen laptop was equipped with a tracking device, and police were notified, the device has not yet been recovered. The tracking device can be activated only when the laptop is connected to the medical center's network, Halamka says. So far, there has been no indication that any information has been misused, according to the medical center's statement.
In addition to the geared-up encryption effort, the medical center is initiating an education program to inform staff about the importance of keeping antivirus and other software updated.
"The devices will leave the depot in a secure state and [their owners informed about] what they need to do to keep soundness," Halamka says.
Encryption will take from a few minutes to several hours, depending on the device, Halamka says. "We're telling people to plan to bring the device in [to the depot] for the whole day."
Halamka estimates the entire encryption program will cost the medical center about $300,000, including staff time and the acquisition of any technology necessary to update and safeguard the security of the devices.
To help keep future tabs on compliance, Beth Israel employees also will be reminded of the encryption mandate whenever their network passwords renew, which is about every six months, Halamka says. At that time, employees will be asked to attest that the mobile devices they use, whether personally owned or corporate-owned, have been encrypted and have had all the necessary software updates installed.
Employees also will be warned that if they falsely attest to having their devices encrypted, or if they remove encryption from their devices, and then their device subsequently becomes lost or stolen, they "will be faced with possible civil fines and penalties," he says, referring to potential HIPAA violations.
A Priority Project
The improvement of mobile device security is high on the list of IT projects under way at Beth Israel during what Halamka has dubbed the medical center's "Summer of Compliance."
In an interview earlier this month, Halamka disclosed that his team has launched an 18-month effort designed to tackle key privacy and security issues to comply with state and federal regulations.
"Security is the highest area of growth of my operating budget and will eat up a third of my capital budget," he says. "It's a very significant resource area."
Beth Israel Deaconess includes a 631-bed medical center and a health system with 3,000 affiliated physicians, 14,000 employees and several affiliated Boston-area hospitals serving 2 million patients in Massachusetts.