Beth Israel Deaconess Medical Center will settle with the Massachusetts Attorney General’s Office to the tune of $100,000 for causing a data breach when a laptop computer was stolen from it campus. This amount is on top of the $500,000 that the hospital paid to deal with the data breach itself (as of August 2014, according to phiprivacy.net). The use of disk encryption software goes a long way towards preventing such “fines” from being assessed, as many people know: there are legal safeguards as well as technical ones.
However, the hospital couldn’t take advantage of these for a very simple reason: the stolen laptop was the personal device belonging to a physician, and so the hospital had no direct control over its security… in theory.
Does Not Mean “Ban Personal Devices”
The data breach occurred in 2012 (that’s right, two years ago) and affected nearly 4,000 people. The laptop was a personal device. Why is BIDMC being held responsible?
According to the complaint against BIDMC [Beth Israel Deaconess Medical Center], in May 2012, an unauthorized person gained access to a BIDMC physician’s unlocked office on campus and stole an unencrypted personal laptop sitting unattended on a desk. The laptop was not hospital-issued but was used by the physician with BIDMC’s knowledge and authorization on a regular basis for hospital-related business.
As the underlined portion shows, BIDMC cannot but be held accountable. They knew of the laptop’s presence and use. The physician had obtained authorization. The laptop was stolen from the hospital’s premises. I mean, except for the question of ownership, you may as well call it the hospital’s machine for all intents and purposes as they relate to the data breach.
It’s About Securing Data
It’s hard to understand how BIDMC got it so wrong. The need to use encryption solutions on sensitive data has been known by the medical community well before 2012. It makes even less sense seeing how the medical center is located in Boston – meaning they have to deal with HIPAA/HITECH as well as the quite arduous Massachusetts data security laws.
Indeed, certain organizations feel that the laws are so oppressive that they actually ban the use of personal devices at work. It’s an extreme attempt at controlling the risks of a data breach. Why BIDMC decided to go the other way is a complete mystery to me. Perhaps they made the mistake of believing it was a matter of securing hospital devices. Because the physician’s laptop was not hospital property, it’s decided that there’s no need to encrypt the device.
The problem with this approach, among other things, is that laws and regulations clearly point out that it’s the data that needs to be protected.