The need to have a firm enterprise mobility strategy is more critical than ever. Organizations must address their policies and make sure their approach is the right one â€“ meaning that it aligns with business needs, organizational policies, culture, budget, IT and staff resources, and other considerations. Currently, we see three popular mobile strategy options:
â€¢ Bring Your Own Device (BYOD)
â€¢ Choose Your Own Device (CYOD)
â€¢ Corporate-Owned, Personally-Enabled (COPE)
A health services provider did not have a well define mobile strategy, but most of the employees used some form of mobile devices. All of that changed when, an executive left a work-issued laptop, which had access to over 40,000 medical records, in a locked car while running an errand. The car was broken into, and the laptop stolen. The IT Department responded by reviewing internal mobile strategies policies to identify, vulnerabilities, threats, risk and response strategy.
ATTACK: Physical theft of an unencrypted device.
RESPONSE: The employee immediately reported the theft to the police and to the health care systemâ€™s IT department who disabled the laptopâ€™s remote access and began monitoring activity. The laptop was equipped with security tools and password protection. Data stored on the hard drive was not encrypted â€“ this included sensitive, personal patient data. The hospital had to follow state laws as they pertain to a data breach. The U.S. Department of Health and Human Services was also notified. Personally Identifiable Information (PII) and Protected Health Information (PHI) data require rigorous reporting processes and standards. After the theft and breach, the health care system began an extensive review of internal policies. A review of security measures with internal IT staff and ancillary IT vendors revealed vulnerabilities in the mobile devices policies and strategies
IMPACT: The health care system spent over $200,000 in remediation, monitoring, and operational improvements. A data breach does impact a brand negatively and trust has to be rebuilt.
QUESTIONS: **(Refer to the Data Breach Response; Guide to Business to address questions)
1) How should the health agency respond, given that PII and PHI were compromised ?
2) What are some steps you think the firm could have taken to prevent this incident?
3) Mobile strategies are susceptible to this kind of attack; how will you reduce/mitigate the risk?
Review the â€˜Data Response Breach; A Guide for Businessâ€™ document and use the guide to address the three questions in the attached case study â€œ Stolen Hospital Laptop Causes Heartburnâ€. You must address the questions in a report format. You will lose 20 points if you fail to address the question in a report format. Submit your report with your name to blackboard.