BYOD (Bring Your Own Device) can be costly in the long run…try $1.5 million

Massachusetts provider settles HIPAA case for $1.5 million

Personal mobile devices in the workplace are an increasing concern to all security and IT professionals – but in healthcare it can be costly even to small practices.

In September 2012 a Massachusetts provider agreed to pay the U.S. Department of Health and Human Services $1.5 million to settle potential HIPAA violations when an unencrypted personal laptop containing electronic patient prescription and clinical information. Did what? What happened?

Read the full article here.

It’s not uncommon for providers to use a laptop or iPad both in a clinical setting and also at home. This transporting of a device – which includes clinical or patient data – increases the opportunity for a privacy breach through theft or loss.

For small medical practices, it might seem to make sense from a cost standpoint to have a device share both professional and personal duties but without the right safeguards in place it can cost much more than the sticker price. According to a Ponemon Institute research report, more than half of employees are using their personal mobile devices in the workplace.

Every practice should define and document how mobile devices will be used before introducing them to the internal network. A few things to consider:

1. What are the risks of these devices to the organization?
2. Will they store or transmit health information?
3. Have you identified a mobile device risk management strategy?
4. Have mobile device policies and procedures been developed and documented?
5. Have you conducted training for providers and other professionals?