Healthcare News & Insights

3 BYOD horror stories healthcare providers can learn from

More healthcare providers are allowing doctors, nurses and other employees to use their own personal smartphones, tablets and other devices. While that may be great for productivity and patient care, it can create new risks, as shown by these three real-life BYOD horror stories. 

According to one recent survey, 72% of doctors use smartphones and tablets in their practice. That can bring many benefits, such as the easy access to important patient information any time the physician needs it. Often, those tasks are done on a personally owned smartphone or tablet, as the majority of hospitals (85%) allow personal devices to be brought into work, according to another poll from Aruba Networks.

Despite the benefits, those devices can put patients’ protected health information at risk, experts warn. In fact, a lost or stolen portable computing device was one of the primary causes behind just under half (46%) of the breaches healthcare organizations suffered in 2012, according to a study from the Ponemon Institute.

Here are three BYOD security horror stories organizations experienced last year in health care and other industries — and what health IT departments elsewhere can learn from them:

Stolen laptop leads to $1.5 million HIPAA fine

One of the biggest BYOD security fears is that a personal device used for work will be lost or stolen, potentially exposing sensitive information to whoever ends up in possession of the gadget. The fear is well-founded — a lost or stolen device can have serious consequences, as shown by a recent settlement involving a Massachusetts provider.

Last September, Massachusetts Eye and Ear Associates, Inc., agreed to pay $1.5 million to settle alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). The charges stemmed from an incident in which a doctor’s personal laptop was stolen. Apparently, before the theft, the unencrypted machine was brought into the office and loaded with sensitive information about patients.

The lesson: Healthcare organizations should require all devices accessing EHRs or other sensitive information to use encryption, password-protection, remote wipe, and other security features. In addition to protecting patients, ensuring that data is inaccessible can help providers avoid fines if a device is lost or stolen.

Old firewall allowed constant attacks

In addition to making sure the devices are protected, organizations also must sometimes make upgrades in-house to keep networks secure after BYOD programs are started. That was the advice given by Mississippi Department of Corrections (MDOC) network systems manager Jerry Horton when he recounted his organization’s BYOD security experiences in Baseline.

After allowing employees to bring their own devices, the organization thought it was protected by the firewall it already had in place. However, it soon became clear that the firewall was no longer able to monitor traffic at all ports. At one point, Horton says, MDOC was being hit by attacks three or four times a week.

The lesson: Before allowing employees to use personal devices full-scale, organizations should test their systems and make upgrades accordingly. In Horton’s case, MDOC decided to add two next-generation firewalls after the initial BYOD security problems were encountered.

BYOD security policy threatens personal data

Sometimes, IT’s efforts to protect information security can cause other problems. That’s what happened recently when Mimecast CEO Peter Bauer lost a whole gallery of family photos and other personal information thanks to a BYOD policy he helped create.

The incident occurred while Bauer was on vacation with his family and his daughter tried to open his smartphone. She tried to guess the phone’s PIN, and after five attempts, the phone was automatically wiped, in accordance with the company’s policy, according to Network World.

The lesson: Health IT departments should make sure they balance security with as much protection for users’ privacy and personal data as possible. Whatever controls and policies are in place, it’s important people are informed and sign off on a form acknowledging they understand what the organization might do with their personal device.

The fear of losing personal data can also be used to IT’s advantage when training users on BYOD security. Offering tips about protecting personal information may get people to care more about taking the proper precautions, which in turn will help protect the sensitive data on their devices.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.


  1. […] phenomenon needs to be taken seriously by the healthcare community. Don’t believe us? Check out three recent BYOD horror stories with lessons for the healthcare […]