 |
When Computers Retire A decade ago, it would have been commonplace to walk through the utility storage area of a major hospital or imaging center and see carts of old computers being ‘stored’ until they were properly discarded. Fast-forward to 2011, and you’d be hard pressed to see such haphazard treatment of computer devices that house vital, private information—or that’s the hope at least. Teeming with patient data and proprietary information, computer equipment from healthcare facilities needs to be properly disposed of to protect patients, providers, and the healthcare organization . According to Jim Kegley, president and CEO of U.S. Micro Corporation, the need for proper computer disposal is greater today than at any other point in time, primarily as a result of the HITECH Act. As Kegley explains, the act, which expanded HIPAA privacy and security protections and mandates healthcare organizations to notify patients when their information is breached, requires hospitals and healthcare providers to safeguard patient data, particularly at the most vulnerable stage of an asset’s life—the end. “Hospitals are also seeing an explosion of data-bearing technology devices, including more mobile forms of devices, as a result of the HITECH Act, which are intended to increase the use of electronic health records by physicians and hospitals,” Kegley says. “Consumers and patients now expect a higher standard of data security as there is a greater overall awareness by the patient community of the negative implications of a breach on their personal information.” Out With the Old Healthcare facilities continue to make mistakes when it comes to the proper handling of retired computer equipment. “Recently, BlueCross and BlueShield of Tennessee had hard drives that were stolen while awaiting shipment to a destruction vendor. This highlights the importance of securing the data on all devices upon retirement,” Kegley says. “Data breaches cost healthcare organizations nearly $6 billion annually, according to the “Benchmark Study on Patient Privacy and Data Security.” The report also found each data breach costs $2 million per organization over a two-year period.” How do such significant oversights occur? As Kegley points out, hospitals, which historically have understaffed IT departments and face constant pressure to reduce costs, are oftentimes guilty of not committing people and financial resources to manage patient data contained in a retired computer. “As an example, a hospital may not commit the in-house IT staff resources necessary to perform Department of Defense [DoD]-compliant multipass data-cleansing specification hard drive wipes on PCs at the time of retirement but opt to allow this important function to occur off site at a vendor’s location,” Kegley says. “While this decision may save on precious in-house IT staff time, a hospital has now exposed itself to greater liability if a PC is lost or stolen in the transportation process or while stored at the vendor’s facility.” And as Walker points out, some hospitals have actually sold their old systems to recyclers that pay for them by the pound. “This is very bad news,” she says. “Recycling of computers properly costs money. So if an entity offers a hospital a price per pound for their old computers or offers to recycle them for free, then the hospital should be very alarmed. These recyclers typically sell those computers to emerging markets without proper data sanitization. Some hospitals have actually landfilled old computers. And believe it or not, some have actually incinerated their old computers.” Data Wipe “Many technology devices can be resold on the secondary market, particularly devices less than five years old,” Kegley says. “Devices older than five years typically do not have legitimate resale markets and should be properly recycled by a qualified provider.” What’s more, the types of technology should determine the ways in which a device should be disposed of. “As an example, many hospitals are still unaware that most copiers purchased in the last seven years contain hard drives that store data,” Kegley says. “If a hospital is not aware that particular devices have the ability to store data, they might allow these devices to be resold upon retirement into the secondary market, thereby exposing themselves to a costly breach.” Determining whether a hospital is properly discarding retired equipment generally should begin with an in-depth analysis of policies and procedures. “A good overall guiding principle should be to never allow hospital data to leave the hospital and have a process to ensure compliance with this policy for every device that is retired,” Kegley says. “After developing its policies and procedures governing computer disposal, a hospital can then evaluate whether to perform many of the functions related to disposal using its own staff, engaging a highly qualified IT asset disposal [ITAD] service provider, or a combination of the two.” Options exist for hospitals to create security-conscious disposal programs that can be cost-effective or even produce net monies. “However, hospitals must be particularly concerned with not taking shortcuts or trying to avoid legitimate costs when retiring technology assets,” Kegley says. Walker adds that responsible IT recycling partners charge a fee to pick up old computers, wipe the disk drives to DoD specifications, and remove asset tags, among other services. “This fee is generally offset by a revenue-sharing agreement between the hospital and the recycler,” Walker says. “If the computer or components can be repaired for resell, then a revenue-sharing agreement provides money back to the hospital.” Donation Issues “However, it needs to be done in a process-driven, thoughtful way,” says Angie Singer Keating, CEO at Reclamere. “For instance, if a hospital uses their computers past about three years, those devices really are not of value as donations. All that has been done is transferring the burden of disposal to a nonprofit that probably has even less resources to properly dispose of the material. Also, proper data sanitization prior to the donation is crucial to avoid a data breach, but proper data destruction will also eliminate the operating system on the device. For most average users, a computer without an operating system is little more than a boat anchor. Microsoft is very strict about the transfer of licensing with equipment and unless the media is also donated, there really is no inexpensive or easy way to reload the computer with an operating system so it can be used.” When selecting a vendor to handle proper computer disposal, hospitals should research a company’s financial viability, track record, and operating procedures. “Ideally, search for a provider that performs all of the services required without the use of subcontractors,” Kegley says. “Many companies offering ITAD services do not actually perform the work themselves, including many computer manufacturers. You certainly would not expect to take your Mercedes to the dealership you bought it from for repairs only to discover the repairs were made by a local repair shop. Guard against discovering too late that the company you selected to dispose of your computer equipment is relying on subcontractors and/or other companies along the way.” Hospitals should contact organizations such as the Reverse Logistics Association, the Institute of Scrap Recycling Industries, or R2 Solutions to find electronics recyclers that are members in good standing and/or certified to R2 standards. They should also look for a partner that is ISO 9001:2008, ISO 14001:2004, OHSAS 1800:2007, and R2 certified. “Industry certifications are great,” Walker says. “The National Association for Information Destruction [NAID] has a certification program with real teeth.” Additionally, seek a recycler that provides open indemnification for data leakage. — Maura Keller is a Minneapolis-based writer and editor.
|
 |
||
December 2011