Beth Israel Deaconess Uses Lessons Learned To Protect Bombing Patient Data

Posted on August 23, 2013 I Written By

Anne Zieger is veteran healthcare editor and analyst with 25 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

When terrorists exploded bombs at the Boston Marathon, Beth Israel Deaconess Medical Center was one of the hospitals that received patients injured in the attack. With world attention focused on the event and its aftermath, it wouldn’t have been surprising if someone managed to breach the patients’ medical information.

But as it turns out, BIDMC was able to keep private not only injured victims’ data, but also information on the condition of bombing suspect Dzhokhar Tsarnaev, reports iHealthBeat.  BIDMC CIO John Halamka told a conference this week that his facility was able to keep sure in part due to lessons learned from a data breach involving a stolen laptop.

During his presentation at the meeting, Halamka explained how the facility tightened up security after a July 2012 incident where a physician’s personal laptop.

The incident, which required  the hospital to notify about 3,900 patients about the data breach, led the hospital to immediately change its encryption policies for any device hospital personnel used that could contain protected health data, iHealthBeat reports. BIDMC also improved security in office buildings and launched a campaign to increase awareness regarding data security.

What’s more, after a second data privacy issue came up, BIDMC retained Deloitte to audit how employees use computers and personal devices.  Deloitte ended up recommending adding messages to portals to remind employees to take care with data; creating 26 new staff positions; deciding which records were the most restricted; and updating doctors’ record access permission when they were given new job titles, iHealthBeat says.

When the Boston Marathon event took place, Halamka was able to build on these precautions. Specifically, he took steps to make sure doctors working in the emergency department weren’t able to access patient records out of curiousity. IT leaders restricted access to the victims’ and Tsarnaev’s data, making employees who did seek access to explain why they did so, iHealthBeat said.

Health data security measures like those at BIDMC are too seldom implemented in full, as the countless reports of data breaches at hospitals demonstrate. But they’re increasingly necessary, particularly as mobile devices bring new layers of risk and health data grows more of a target for criminals. Unfortunately, given the desirability of health data as a target, this is a problem that can only get worse before it gets better.