Halamka Knows Perils And Promise Of Healthcare BYOD
One of the nation's top healthcare CIOs discusses Beth Israel Deaconess Medical Center's $200K project to secure personal devices used for work.
9 Mobile EHRs Compete For Doctors'
(click image for larger view and for slideshow)
"BYOD is an unstoppable force." That's the unequivocal view of Dr. John Halamka, CIO of Beth Israel Deaconess Medical Center. Halamka, speaking on Tuesday's InformationWeek Healthcare Virtual Event, discussed the opportunities the bring-your-own-device movement affords IT managers and clinicians alike, as well as the risks and responsibilities now placed on CIOs' shoulders.
"Although CIOs would much rather focus on the cool apps of the future or that 3D holographic iPad, compliance and regulatory imperatives are a must do," Halamka said. Much of his presentation dealt with those imperatives and the accountability associated with them.
His take-home message on how to keep patient data safe was straightforward: "Policy is no longer enough."
Until recently, BIDMC clinicians had to follow a detailed policy that outlined procedures for password protection, encryption, device firewalls, time out periods, automatic wipes and the like if they were going to use their personal mobile device to access patient data.
Unfortunately, about a year ago an unsecured personal laptop containing sensitive data was stolen from one of BIDMC's doctors, costing the medical center hundreds of thousands of dollars in legal fees and forensic analysis. At that point, the institution decided that it had to go beyond policy and put specific technologies in place to secure all devices, Halamka said.
BIDMC's IT department initially shut down all smartphone email protocols, with the exception of Exchange Activesync, which lets IT managers enforce certain settings on a mobile device.
Then, the team audited all BIDMC-purchased devices, tagging each of them and ensuring that their data was properly encrypted. Next, they turned to the personally owned devices being used to access the BIDMC network and encrypted the data on those devices, scanned for malware, and installed antivirus updates and patches as needed. Equally important, they required employees to attest to all the devices they use in the workplace, and to the fact that the sensitive data on them had been encrypted.
It was a big project given the age of some of the hardware and software. In addition to using Bitlocker and FileVault2, the BIDMC IT department had to install self-encrypting drives to secure some devices.
In total. BIMDC spent about $200,000 on the project, but as Halamka pointed out, it can cost an institution that much if it loses a single unsecured laptop.
Again, the lesson is clear: Don't wait until federal regulators come knocking at your door asking why you didn't secure a stolen iPad that contained HIPAA-related patient data. They don't want to hear that you had a policy in place and that you warned the doc to encrypt the device. Like it or not, accountability rests on your shoulders.
Join two prominent IBM healthcare executives, along with Dr. Carolyn McGregor, associate professor at the University of Ontario Institute of Technology, and Annamarie Saarinen, founder of the Newborn Foundation, to discuss how big data analytics is helping to improve outcomes and reduce morbidity and mortality among critically ill infants and ICU patients. This IBM-sponsored Webcast will take place on Dec. 17 at 1:00 p.m. EST. Register here.
InformationWeek Elite 100Our data shows these innovators using digital technology in two key areas: providing better products and cutting costs. Almost half of them expect to introduce a new IT-led product this year, and 46% are using technology to make business processes more efficient.
The UC Infrastructure TrapWorries about subpar networks tanking unified communications programs could be valid: Thirty-one percent of respondents have rolled capabilities out to less than 10% of users vs. 21% delivering UC to 76% or more. Is low uptake a result of strained infrastructures delivering poor performance?