- Beth Israel Deaconess Medical Center (BIDMC) CIO John Halamka recently gave insight into how his organization used a stolen laptop as a learning experience that better prepared BIDMC for protecting patient and marathon bombing suspect Dzhokhar Tsarnaev’s medical records.
In an interview with fastcompany.com, Halamka described the various layers involved with keeping Tsarnaev’s private and how it dealt with the logistics of Boston being on lockdown. Tsarnaev’s patient data was an obvious target for journalists or someone trying to make easy money off of TMZ.com.
Less than a year prior to Halamka being tasked with keeping the data of the most wanted man in Boston safe, BIDMC had to deal with the theft of an employee’s unencrypted laptop that contained Excel spreadsheet with names and diagnoses for more than 4,000 patients. In all, BIDMC had to spend $500,000 in data breach remediation and there was also an instance of patient radiology data being sent to a random IP address in China after a technician failed to remove IP addresses during software updates. To prevent future occurrences, it hired auditing giant Deloitte.
Deloitte came in and analyzed every nook and cranny of BIDMC’s infrastructure to see how data flows, who has access to which types of data and what the organization currently had in place for safeguards. Additionally, BIDMC had to hire 26 new employees as part of the security makeover. Determining which data is at the top of the priority list isn’t easy and Halamka was flummoxed by how little some cloud vendors had done in terms of external auditing. BIDMC also wanted to beef up internal user monitoring and implement a level of role-based access so restricted records were viewed by the appropriate employees.
Fast forward to the marathon bombings and BIDMC and Halamka had the technology and policies in place to keep victims and suspects’ data protected and put even higher security flags on those involved with the bombings. Employees were reminded that they needed to use strong discretion, even if Tsarnaev was the patient. They were successful in maintaining the integrity of the data, even if the feedback from clinical staff wasn’t necessarily positive. “After the marathon, I lived information security. I’ve dealt with both confrontation and hate mail,” he said to fastcompany.com.
One of the more noteworthy parts of the article was the way in which many employees look past HIPAA as not being essential to keeping their jobs. Obviously, BIDMC was able to learn from past mistakes and take Deloitte’s advice seriously, but what if the same situation happened elsewhere? Would the healthcare organization have had the same level of security in place and the right policies to enforce the required discretion?