A story at fastcompany.com covers the story of how Beth Israel Deaconess Medical Center (BIDMC) was able to prevent a data breach when a bomb went off at the Boston Marathon earlier this year. Perhaps ironically, BIDMC was only able to do so because they had experienced a significant data breach when a doctor’s laptop computer had been stolen the previous year. The lack of laptop encryption on the device had led to significant changes at the hospital.
Casting aside the more tragic aspects of what happened that day, the piece shows why you want to be prepared for the unlikely event of a HIPAA data breach.
Terror Suspect Brought to BIDMC
What are the odds that a terrorist will be treated at your local hospital? Virtually nil, assuming that there isn’t a physical war going on in your own backyard. And yet, that’s the situation BIDMC was facing in the aftermath of the Boston Marathon bombing.
Medical personnel were already busy with their valiant efforts in treating victims when Dzhokhar Tsarnaev was brought in for treatment. Tsarnaev being the sole center figure of the tragedy, his presence at BIDMC meant the hospital would face a challenge:
For Halamka’s [BIDMC CIO] department, ensuring that systems stayed online and maintaining the privacy of patients was essential. In his prior life as a surgeon in Los Angeles, Halamka saw how journalists would try any trick in the book to get a scoop on a breaking celebrity story. From BIDMC’s perspective, there was a real risk someone would attempt to steal the medical records of Tsarnaev or the victims. This would hinder the hospital’s ability to provide care and risk exposing it to lawsuits.
Had the hospital not updated its security policies and technology after their data breach in 2012, who knows what would have happened? The odds of a breach could have been high; the laptop theft in 2012 occurred at an access-restricted area, after all. Assuming a breach did happen, the Office of Civil Rights would have had to launch an investigation – could something become more high profile than this? – and I doubt that they would have let things slide because of the incredibly improbable likelihood of the event.
Being prepared paid off big time for Beth Israel, although it cost them $500,000 to get there (the amount they spent cleaning themselves up after the laptop theft).
Think “When,” Not “If”
The odds of a US hospital facing the same situation again are very low. However, the odds of a data breach occurring remain very high. Hospitals may have restricted areas but they tend to be an open environment because of the nature of what they do: when seconds can determine life or death, locking doors or making medicine closets impregnable, important as they may be, are not at the top of the list. Obviously, this means that the chances of something being stolen will remain high. It’ll always be a matter of “when,” not “if.” When will we experience a data breach? should be the real question medical establishments ought to be asking themselves.
While that particular bell is tolling for all HIPAA covered entities, you can distance yourself from it as much as possible by implementing the appropriate and needed (even if they may not be listed as “required” under the guidelines) solutions, like medical laptop encryption and data security measurements.