Health Plan Executive Warns of Risks in BYOD

Health care organizations that implement a “BYOD” policy without a game plan risk compromising the security of their enterprise, warned Timothy Zevnik, Molina Healthcare’s chief privacy officer, who spoke at the Third Annual HIMSS Southern California Privacy and Security Forum in Los Angeles on November 1.

Zevnik said many healthcare organizations are still operating in the world of “yesterday’s basic cell phone,” when the carriers were responsible for managing and protecting user information.

“Today’s smart phones have downloadable applications, many of which collect and transmit personal data” he noted.

Zevnik said mobile health devices hold great potential for healthcare organizations in reducing costs in treating chronic diseases, however, they also pose major security risks.

“Right now we have a complete lack of standards” for data collection and privacy on mobile devices, he said. Most current privacy laws, such as those in HIPAA, were designed for personal computers.

Most consumers don’t realize that their smart phone has a GPS and is constantly broadcasting information on their location. “The default setting on most mobile devices does not protect privacy,” he said. To correct this lack of privacy, he recommended that healthcare organizations implement an affirmative or “opt-in” requirement setting for sharing information on mobile devices.

He said that the next generation of m-health devices could pose even more risks, since they will contain sensors which monitor bodily activity and connect to other devices.

Zevnik suggested that healthcare executives study Privacy by Design, a set of principles first formulated seven years ago by Ontario (Canada) Information and Privacy Commissioner Ann Cavoukian. The FTC has included the principles in its March 2012 report, “Protecting Consumer Privacy in an Era of Rapid Change.”

Additional steps healthcare organizations can take to help secure mobile devices are 1) educate consumers about privacy risks; 2) require a strong password for each device.

The federal government is getting more active in policing data security Zevnik said and pointed to a fine of $1.5 million levied by the HHS against BlueCross BlueShield of Tennessee after 57 hard drives were stolen from a data storage closet.

In addition to the fine, the health plans spent $17 million on a corrective action plan that included encrypting all at-rest data.

James Harris is president of, a healthcare technology marketing agency.

↑ Back to top

Founding Sponsors

Platinum Sponsors