The protection and security of electronic medical records is a topic of growing concern. While the public may be focusing on the issue of breaches due to recent data hacks, the Office of Inspector General is turning its attention to EHR fraud. The OIG is calling for the Centers for Medicare & Medicaid Services to address the issue of EHR fraud vulnerabilities. In a March 2015 report, the OIG claimed that the agency has not adequately implemented fraud safeguards. "HHS must do more to ensure that all hospitals' EHRs contain safeguards and that hospitals use them to protect against electronically enabled healthcare fraud," OIG officials wrote in the report.

Just about any business, especially in healthcare, is likely already covered by some kind of general liability insurance. Such policies are standard, providing coverage for events such as bodily injury and/or property damage that result from the insured’s operation, product, and/or building/site. However, these types of policies were created long before the days of cybercrime. They were never meant to cover liability or loss from things like cyberattacks and data breaches. Therefore, these policies rarely if ever cover losses due to cybercrime. In fact, just about all general liability policies now come with very specific language about the fact that they do NOT cover such losses or costs due to cyber-incidents. This means many businesses have no choice but to turn to cyber insurance… and so they should.

Some readers might remember the Anthem data breach, in which around 78.4 million people had their records compromised, that I briefly mentioned at the start of our cybersecurity blog series. At the time, the cause of that breach had not yet been made public. By a funny (or, perhaps not so funny) coincidence, it turned out to be the result of spear-phishing (which that article covered) and was further compounded by factors such as Anthem’s lack of data encryption and their poor password security practices. One would think that the catastrophic and very public data breach at Anthem would have served as a strong warning to other such organizations, and that they would have taken steps to prevent the same from happening to them.

Welcome to the final installment of this blog series—creating a healthcare BYOD policy. You need one of these for a number of reasons. First and foremost, it’s a HIPAA/PHI issue. All the security tools in the world are powerless in the face of human error, and mistakes happen. If and when you have a lost/stolen device, one of the first things HHS is probably going to ask for is a copy of your office’s BYOD policy. Trust me, “What policy?” is not an acceptable answer.

Anyone in the healthcare industry who plans on adopting a BYOD environment needs to be aware that HIPAA standards strongly recommend (though they do not require) “encryption of all corporate email, data, and documents, in transit and at rest, on all devices” that contain Protected Health Information (PHI). The law does not specifically state that they require you to have encryption. Instead, it just says that healthcare providers with BYOD are “asked” to have it. However, what do you think would happen when and if a PHI breach occurred because your office had a lost/stolen device that wasn’t encrypted? Do you think HHS would show mercy and just decide to let it pass this time?

Now that you’ve had some time to weigh the pros and cons of adopting BYOD, it is time to start working up an adoption plan. For any workplace, this requires researching and investing in certain mobile security tools. It also means addressing a number of key infrastructure and staff issues. Those in the healthcare industry must consider issues such as maintaining devices and network security, just as any other workplace would. However, those in healthcare have additional components they must take into consideration when it comes to BYOD—HIPAA compliance and securing Protected Health Information (PHI). As already mentioned in Part 1, HIPAA violations and PHI breaches can be extremely costly.

What is BYOD? For those who may not already be familiar with it, BYOD stands for “Bring Your Own Device,” and it refers to the practice of allowing employees to bring and utilize their own computing/mobile devices—smartphones, tablets, laptops, etc.—within the office/company to be used for business/work purposes, including allowing them to connect to a company’s secure network with said devices. A plethora of blogs and news articles on the topic of BYOD have been popping up all over the internet in recent years. While some articles express various apprehensions and concerns about BYOD, often claiming it presents an unsolvable security risk situation, a great many more of these articles point to BYOD as the “new normal,” a necessity of conducting business in the New Media Age. Whether for or against the practice of BYOD, however, it seems as if everyone is going to have to accept it at this point, because it looks like it’s here to stay.