Beth Israel Deaconess Medical Center in Boston has agreed to pay $100,000 to settle the Massachusetts Attorney General’s lawsuit over a 2012 data breach involving the theft of a physician’s unencrypted laptop. In addition to the financial penalty, the hospital will also have to revise its data security measures to ensure compliance with state and federal law. The consent agreement requires BIDMC to track and encrypt all hospital-purchased devices and to implement ActiveSync or other technology that prevents unencrypted smartphones and tablet devices from accessing personal information on the hospital’s email servers. BIDMC must also review its policies and procedures regarding portable device security and train employees on how to handle personal and protected health information.
© Copyright 2014 Steptoe & Johnson LLP. Steptoe & Johnson LLP
How to avoid a similar risk at your organisation?
i) establish your current position against the applicable legislation
ii) determine realistic goals to achieve the recommended position in terms of data protection
iii) Implement appropriate deliverable, including but not limited to a Data Protection Policy, IT Security Policy, Mobile Device policy and BYOD policy
iv) Implement standard training and audit procedures at your oganisation.