BYOD In Healthcare Organization: Case Study
Stanya Palmaro
ITM 350
Dr. Knapp
October 28, 2014
Risk Assessment:
BYOD in Healthcare Organization
Introduction:
For the past couple of years, a policy that allows employees to bring their own personal devices to work has become progressively popular. This policy is known as BYOD, an acronym that stands for “bring your own device”. One of the main reasons for the growing usage of the policy is the increase in employee productivity as they are already familiar with the equipment they are using at work. Although this reliance on technology is efficient and produces numerous benefits in the business sector, it also brings several problems along with it. Certainly, the risk of losing valuable data has become an imposing threat nowadays, making …show more content…
security one of the top priorities for companies. I have been hired to assess the risk of using such a policy at the Spartan Home Health Care (SHHC). Healthcare organizations have a specific duty to protect their patients’ Protected Health Information also known as PHI. The disclosure of an organization’s PHI would have considerable consequences for SHHC due to the statute that was passed through HIPPAA that holds the company accountable under federal law.
Qualitative Risk Assessment:
SHHC is a small health-care company that provides medical services directly at the homes of their patients.
They currently have 150 employees working for them; majority of which, are using their personal computers and devices on the job. According to SHHC, the company’s technological infrastructure is composed of 30% of laptops, 50% of tablets and 20% desktops. SHHC is currently benefitting from the BYOD policy as it allows employees to be more efficient and productive. The employees are already familiar with the devices they are using and can have the ability to use valuable third-party medical applications that companies do not know about and would therefore not be accessible with company-owned devices. An example of a third-party application as such would be UpToDate, which is a medical database that can significantly improve diagnosis of a disease as well as its treatment. Also, having personal devices makes it possible for employees to stay connected even if they are out of the office or on a business trip, which is especially important for the type of business SHHC is conducting, but also when the employees are on vacation or on sick leave. Despite all of the benefits and improvements in the business’s day-to-day operations, the security issues related to BYOD is still prominent and should be assessed if not …show more content…
mitigated.
One of the vulnerabilities created through BYOD is that the owners of the organization do not really have visibility over these devices. This means that they do not have insight or control over the devices’ security posture. Therefore, a device used on the job could be unprotected, or even infected without the company knowing; making it hard to safeguard the patients’ PHI. The use of platform-specific policies, which place some control over devices according to the platforms they are running on, were found unsuccessful as the number of available platforms continue to grow endlessly. Moreover, the type of device or platform used at work does not really matter, as most attacks are lead through the Internet. Consequently, if an employee accesses a risky network with the devices they use at work, they could potentially lose confidential information. Also, if one of the devices is infected and is unbeknownst to the company, it will not only cause security issues for the patients’ PHI but can also shut down the availability of the company’s network if the attack was a botnet.
Allowing BYOD on the job can also result in data breaches if the employees’ devices are stolen or lost. There is a threat in which untrusted parties can access the company’s network and retrieve any unprotected data from the device through this vulnerability. A threat also surges when an employee leaves or gets fired from a company. Unlike policies used with company owned computers and devices, which would require the employee to return the device when leaving the company, BYOD on the other hand usually lets the employee leave with their personal devices, which may still contain patient data. Nowadays, however, technology, such as Absolute Software, has allowed companies to remotely wipe clean employee devices. Of course, this setup must be paid for and the policy must be enforced on every device before it is allowed to access the company’s network or store confidential information. A problem arising from this remote-wipe capability is that the devices are reset to their factory settings without notice, resulting in loss of private data on the employee’s behalf. To avoid this problem, companies may solely use the locating capability of the software, which will find the stolen devices over the Internet through file scanning, registry, or key captures. The company will then have to alert law enforcement to retrieve the devices. Nevertheless, the time elapsed between the moment the device is lost or stolen and the time of retrieval may be too late to prevent the unauthorized access to the data.
As stated in the introduction, any exposure of a patients’ PHI would breach the statutes under the Health Insurance Portability and Accountability Act (HIPAA). The ramifications of the breach will not only cause legal repercussions but will also entail great financial losses. The American Recovery and Reinvestment Act (ARRA) effective since 2009 established a tiered civil penalty structure for HIPAA violations. These penalties would be greatly significant especially for a small company such as SHHC.
In order to be HIPAA compliant, SHHC will need to create a BYOD policy that will help mitigate the threats mentioned above. The policy will lead to the creation of standards, guidelines, and procedures that will help enforce data security. One of the possible policies for example will be to have a set time put in effect so that a device will lock after the time has elapsed which will force the employees to reenter a password. Another policy could be that all the data on the devices must be encrypted before it can be used on the job. Moreover, SHHC could create a separate body that could oversee the security of the devices as well as monitor and locate a device that is lost or that is emitting excessive traffic.
Quantitative Risk Assessment: SHHC provided me with some insight on its current business practices that will help quantify the level of risk that it currently has. The company currently does not have any control in place to mitigate the risk of an event. They currently have 150 employees who earn about $30 an hour. In the event of a breach, there is an expected cost of approximately 5 hours of lost wages per employee, which would induce a loss of $22,500. Additionally, due to the violations of HIPAA, we expect the ARRA to charge civil penalties that would cost the company around $300,000 plus an additional $50,000 in lost revenue due to the repercussions that the breach will have due to widespread news that will negatively affect SHHC’s reputation and future customers. Therefore the Single Loss Expectancy (SLE) will have a total cost of $375,000. Research has shown that the Annual Rate of Occurrence (ARO) that an event as such will occur due to the BYOD policy is around 10% since SHHC has not yet implemented any type of control. Therefore, the Annual Loss Expectancy (ALE) is of $37,500. SHHC has the option of keeping its BYOD policy if it invests more capital into controls that will help mitigate the risks and by default increase its data security.
Increasing its security may include purchasing programs such as Absolute Software, which would allow the company to remotely wipe devices. Since employees may use more than one personal device on the job, the company will have to account the cost of the software for about 250 devices, the software costs about $100 dollars each; which would add up to $2,500. Also, SHHC may want to create a separate body in their organization that will monitor the devices. This body will help enforce the company’s new BYOD policy, by for example making sure that all the devices are protected and that the data on those devices are encrypted. It will also be responsible of locating the lost devices, remotely wiping the data on them, or even monitor the traffic emitted by the devices. Creating this completely different sector in the organization will have a cost that will amount to about $5,500 or $8,000 total. Due to these measures, the Annual Rate of Occurrence is expected to drop by 3%, making the residual annual risk to be of 7%. If we add the $8,000 to the $375,000, it will create the new SLE of $383,000. Therefore, the new ALE will be of $26,810. This would reduce the costs from the initial risk by $10,690 if an event were to
occur.
By contrast, SHHC could also decide to completely ban BYOD, and will consequently have to purchase company-owned computers and devices. Since the company’s culture is based on mobility, as employees go to their patient’s home to provide their services, SHHC should mostly invest in laptops and tablets instead of desktops. SHHC should use the same platform for all of its devices in order to facilitate its use throughout the business; for this assessment, we are assuming that it will only use Microsoft-based devices. Consequently, the average cost of a laptop would be $700 and a tablet would have a cost of about $400. For the quantifying purpose of this assessment, we will also assume a breakdown of 50/50 percent breakdown between tablets and laptops for SHHC. The purchasing cost of these devices will equal to $82,500. If we add the cost of anti-viruses, monitoring programs, upgrades, etc. The costs could amount to about $84,000. This would be the initial cost however, in order to calculate the annual cost that this investment would have, the number of years that this equipment is expected to have should be taken into account. For example, if SHHC plans on using the same tablets and laptops for 4 years, then the annual cost would be $21,000. The company will therefore save $16,500 when compared to the initial risk, and $5,810 when compared to the more secure BYOD policy.
Final Assessment: After making both qualitative and quantitative risk assessments on the subject, I came to the conclusion that SHHC should completely ban the BYOD policy and instead invest in its own devices. The threats and vulnerabilities created through BYOD can bring substantial losses for the company, as it would suffer from legal and financial ramifications due to the breach of HIPAA, which would also lead to a loss in reputation. The numbers also support this change in policy since the company would save more than $16,000 if it decides to invest in company-owned devices before an event occurs. The change of policy will not only save the company money, it will also increase its control over its devices and its employees; making the prevention of a breach much easier.
References
AMA. "HIPAA Violations and Enforcement." HIPAA Violations and Enforcement. American Medical Association. Web. <http://www.ama-assn.org/ama/pub/physician-resources/solutions-managing-your-practice/coding-billing-insurance/hipaahealth-insurance-portability-accountability-act/hipaa-violations-enforcement.page>.
Cerrato, Paul. "Why BYOD Doesn 't Always Work In Healthcare." Dark Reading. N.p., 28 Feb. 2012. Web. <http://www.darkreading.com/risk-management/why-byod-doesnt-always-work-in-healthcare/d/d-id/1103076>.
Foster, Brian. “How BYOD brings security risks into corporate networks.” USA Today. Gannett, 21 June 2013. Web. <http://www.usatoday.com/story/cybertruth/2013/06/21/how-byod-brings-security-risks-into-corporate-networks/2443299/>
HHS. "Health Information Privacy." Health Information Privacy. US Department of Health and Human Services. Web. <http://www.hhs.gov/ocr/privacy/>.
Keyes, Jessica. "BYOD for Healthcare." Google Books. CRC Press, 2014. Web. <http://books.google.com/books?id=ncySAwAAQBAJ&pg=PA247&lpg=PA247&dq=byod+in+healthcare+when+employee+fired&source=bl&ots=xTAGPkwXnO&sig=8oFkGwxImZCYzHji4NNC7W2LH7A&hl=en&sa=X&ei=T4BNVKrgDMTBggSIroK4BA&ved=0CDsQ6AEwBA#v=onepage&q=byod%20in%20healthcare%20when%20employee%20fired&f=false>.
Knapp, Kenneth. “Information security policy & risk management.” The University of Tampa. Tampa, FL. (2014)
Weber, Lauren. "BYOD? Leaving a Job Can Mean Losing Pictures of Grandma." The Wall Street Journal. Dow Jones & Company, 21 Jan. 2014. Web. <http://online.wsj.com/articles/SB10001424052702304027204579335033824665964>.
ITM 350
Dr. Knapp
October 28, 2014
Risk Assessment:
BYOD in Healthcare Organization
Introduction:
For the past couple of years, a policy that allows employees to bring their own personal devices to work has become progressively popular. This policy is known as BYOD, an acronym that stands for “bring your own device”. One of the main reasons for the growing usage of the policy is the increase in employee productivity as they are already familiar with the equipment they are using at work. Although this reliance on technology is efficient and produces numerous benefits in the business sector, it also brings several problems along with it. Certainly, the risk of losing valuable data has become an imposing threat nowadays, making …show more content…
security one of the top priorities for companies. I have been hired to assess the risk of using such a policy at the Spartan Home Health Care (SHHC). Healthcare organizations have a specific duty to protect their patients’ Protected Health Information also known as PHI. The disclosure of an organization’s PHI would have considerable consequences for SHHC due to the statute that was passed through HIPPAA that holds the company accountable under federal law.
Qualitative Risk Assessment:
SHHC is a small health-care company that provides medical services directly at the homes of their patients.
They currently have 150 employees working for them; majority of which, are using their personal computers and devices on the job. According to SHHC, the company’s technological infrastructure is composed of 30% of laptops, 50% of tablets and 20% desktops. SHHC is currently benefitting from the BYOD policy as it allows employees to be more efficient and productive. The employees are already familiar with the devices they are using and can have the ability to use valuable third-party medical applications that companies do not know about and would therefore not be accessible with company-owned devices. An example of a third-party application as such would be UpToDate, which is a medical database that can significantly improve diagnosis of a disease as well as its treatment. Also, having personal devices makes it possible for employees to stay connected even if they are out of the office or on a business trip, which is especially important for the type of business SHHC is conducting, but also when the employees are on vacation or on sick leave. Despite all of the benefits and improvements in the business’s day-to-day operations, the security issues related to BYOD is still prominent and should be assessed if not …show more content…
mitigated.
One of the vulnerabilities created through BYOD is that the owners of the organization do not really have visibility over these devices. This means that they do not have insight or control over the devices’ security posture. Therefore, a device used on the job could be unprotected, or even infected without the company knowing; making it hard to safeguard the patients’ PHI. The use of platform-specific policies, which place some control over devices according to the platforms they are running on, were found unsuccessful as the number of available platforms continue to grow endlessly. Moreover, the type of device or platform used at work does not really matter, as most attacks are lead through the Internet. Consequently, if an employee accesses a risky network with the devices they use at work, they could potentially lose confidential information. Also, if one of the devices is infected and is unbeknownst to the company, it will not only cause security issues for the patients’ PHI but can also shut down the availability of the company’s network if the attack was a botnet.
Allowing BYOD on the job can also result in data breaches if the employees’ devices are stolen or lost. There is a threat in which untrusted parties can access the company’s network and retrieve any unprotected data from the device through this vulnerability. A threat also surges when an employee leaves or gets fired from a company. Unlike policies used with company owned computers and devices, which would require the employee to return the device when leaving the company, BYOD on the other hand usually lets the employee leave with their personal devices, which may still contain patient data. Nowadays, however, technology, such as Absolute Software, has allowed companies to remotely wipe clean employee devices. Of course, this setup must be paid for and the policy must be enforced on every device before it is allowed to access the company’s network or store confidential information. A problem arising from this remote-wipe capability is that the devices are reset to their factory settings without notice, resulting in loss of private data on the employee’s behalf. To avoid this problem, companies may solely use the locating capability of the software, which will find the stolen devices over the Internet through file scanning, registry, or key captures. The company will then have to alert law enforcement to retrieve the devices. Nevertheless, the time elapsed between the moment the device is lost or stolen and the time of retrieval may be too late to prevent the unauthorized access to the data.
As stated in the introduction, any exposure of a patients’ PHI would breach the statutes under the Health Insurance Portability and Accountability Act (HIPAA). The ramifications of the breach will not only cause legal repercussions but will also entail great financial losses. The American Recovery and Reinvestment Act (ARRA) effective since 2009 established a tiered civil penalty structure for HIPAA violations. These penalties would be greatly significant especially for a small company such as SHHC.
In order to be HIPAA compliant, SHHC will need to create a BYOD policy that will help mitigate the threats mentioned above. The policy will lead to the creation of standards, guidelines, and procedures that will help enforce data security. One of the possible policies for example will be to have a set time put in effect so that a device will lock after the time has elapsed which will force the employees to reenter a password. Another policy could be that all the data on the devices must be encrypted before it can be used on the job. Moreover, SHHC could create a separate body that could oversee the security of the devices as well as monitor and locate a device that is lost or that is emitting excessive traffic.
Quantitative Risk Assessment: SHHC provided me with some insight on its current business practices that will help quantify the level of risk that it currently has. The company currently does not have any control in place to mitigate the risk of an event. They currently have 150 employees who earn about $30 an hour. In the event of a breach, there is an expected cost of approximately 5 hours of lost wages per employee, which would induce a loss of $22,500. Additionally, due to the violations of HIPAA, we expect the ARRA to charge civil penalties that would cost the company around $300,000 plus an additional $50,000 in lost revenue due to the repercussions that the breach will have due to widespread news that will negatively affect SHHC’s reputation and future customers. Therefore the Single Loss Expectancy (SLE) will have a total cost of $375,000. Research has shown that the Annual Rate of Occurrence (ARO) that an event as such will occur due to the BYOD policy is around 10% since SHHC has not yet implemented any type of control. Therefore, the Annual Loss Expectancy (ALE) is of $37,500. SHHC has the option of keeping its BYOD policy if it invests more capital into controls that will help mitigate the risks and by default increase its data security.
Increasing its security may include purchasing programs such as Absolute Software, which would allow the company to remotely wipe devices. Since employees may use more than one personal device on the job, the company will have to account the cost of the software for about 250 devices, the software costs about $100 dollars each; which would add up to $2,500. Also, SHHC may want to create a separate body in their organization that will monitor the devices. This body will help enforce the company’s new BYOD policy, by for example making sure that all the devices are protected and that the data on those devices are encrypted. It will also be responsible of locating the lost devices, remotely wiping the data on them, or even monitor the traffic emitted by the devices. Creating this completely different sector in the organization will have a cost that will amount to about $5,500 or $8,000 total. Due to these measures, the Annual Rate of Occurrence is expected to drop by 3%, making the residual annual risk to be of 7%. If we add the $8,000 to the $375,000, it will create the new SLE of $383,000. Therefore, the new ALE will be of $26,810. This would reduce the costs from the initial risk by $10,690 if an event were to
occur.
By contrast, SHHC could also decide to completely ban BYOD, and will consequently have to purchase company-owned computers and devices. Since the company’s culture is based on mobility, as employees go to their patient’s home to provide their services, SHHC should mostly invest in laptops and tablets instead of desktops. SHHC should use the same platform for all of its devices in order to facilitate its use throughout the business; for this assessment, we are assuming that it will only use Microsoft-based devices. Consequently, the average cost of a laptop would be $700 and a tablet would have a cost of about $400. For the quantifying purpose of this assessment, we will also assume a breakdown of 50/50 percent breakdown between tablets and laptops for SHHC. The purchasing cost of these devices will equal to $82,500. If we add the cost of anti-viruses, monitoring programs, upgrades, etc. The costs could amount to about $84,000. This would be the initial cost however, in order to calculate the annual cost that this investment would have, the number of years that this equipment is expected to have should be taken into account. For example, if SHHC plans on using the same tablets and laptops for 4 years, then the annual cost would be $21,000. The company will therefore save $16,500 when compared to the initial risk, and $5,810 when compared to the more secure BYOD policy.
Final Assessment: After making both qualitative and quantitative risk assessments on the subject, I came to the conclusion that SHHC should completely ban the BYOD policy and instead invest in its own devices. The threats and vulnerabilities created through BYOD can bring substantial losses for the company, as it would suffer from legal and financial ramifications due to the breach of HIPAA, which would also lead to a loss in reputation. The numbers also support this change in policy since the company would save more than $16,000 if it decides to invest in company-owned devices before an event occurs. The change of policy will not only save the company money, it will also increase its control over its devices and its employees; making the prevention of a breach much easier.
References
AMA. "HIPAA Violations and Enforcement." HIPAA Violations and Enforcement. American Medical Association. Web. <http://www.ama-assn.org/ama/pub/physician-resources/solutions-managing-your-practice/coding-billing-insurance/hipaahealth-insurance-portability-accountability-act/hipaa-violations-enforcement.page>.
Cerrato, Paul. "Why BYOD Doesn 't Always Work In Healthcare." Dark Reading. N.p., 28 Feb. 2012. Web. <http://www.darkreading.com/risk-management/why-byod-doesnt-always-work-in-healthcare/d/d-id/1103076>.
Foster, Brian. “How BYOD brings security risks into corporate networks.” USA Today. Gannett, 21 June 2013. Web. <http://www.usatoday.com/story/cybertruth/2013/06/21/how-byod-brings-security-risks-into-corporate-networks/2443299/>
HHS. "Health Information Privacy." Health Information Privacy. US Department of Health and Human Services. Web. <http://www.hhs.gov/ocr/privacy/>.
Keyes, Jessica. "BYOD for Healthcare." Google Books. CRC Press, 2014. Web. <http://books.google.com/books?id=ncySAwAAQBAJ&pg=PA247&lpg=PA247&dq=byod+in+healthcare+when+employee+fired&source=bl&ots=xTAGPkwXnO&sig=8oFkGwxImZCYzHji4NNC7W2LH7A&hl=en&sa=X&ei=T4BNVKrgDMTBggSIroK4BA&ved=0CDsQ6AEwBA#v=onepage&q=byod%20in%20healthcare%20when%20employee%20fired&f=false>.
Knapp, Kenneth. “Information security policy & risk management.” The University of Tampa. Tampa, FL. (2014)
Weber, Lauren. "BYOD? Leaving a Job Can Mean Losing Pictures of Grandma." The Wall Street Journal. Dow Jones & Company, 21 Jan. 2014. Web. <http://online.wsj.com/articles/SB10001424052702304027204579335033824665964>.