Home

Cover Story

Table of Contents

E-Newsletter

Article Archive

Editorial Calendar

Datebook

Writers' Guidelines

Orgs/Links

Opinion Polls

Reprints

Forum

For other articles and previous issues click here.

August 2, 2004

When Computers Die — Data Lives On
Radiology Today
By Kate Jackson
Vol. 5, No. 16, p. 20

How does your organization discard old computers—the ones containing all that sensitive patient data? Many facilities give surprisingly little thought to what happens to their outdated equipment.

Old computers that no longer have any use to organizations may be stashed in closets, shoved to the side of desks, and sometimes tossed in dumpsters or dumped in landfills. Machines that retain value may be donated, recycled, or sold. In the rush to scuttle equipment, many unwittingly unload more than they planned. Computer equipment—from hard drives to floppy disks and printers—typically contains three things that should never be cavalierly chucked:
• environmental toxins;
• private health information; and
• private financial data.

Carelessly leaking any of these three items can result in severe penalties. In the zeal to be out with the old and in with the new, many administrators and managers—even information technology (IT) professionals—give little thought to the correct way to dispose of obsolete computer equipment. The consequences can be both costly and deadly. A 2003 Gartner Group report on technology disposal concluded, “Ultimately, the most expensive cost associated with PC disposal is the cost for failure to dispose of the computer (and the data residing on the drives) appropriately. Many enterprises have paid the price in terms of additional cost, regulatory fines, bad publicity, and even litigation when computers turned up in landfills or Third World (sic) countries or when confidential or sensitive data was recovered from hard drives that were not appropriately sanitized.”

While healthcare organizations spend millions of dollars and countless hours protecting the privacy of hard-copy and electronic medical records and ensuring that their Internet connections are secured through encryption and firewalls, they dispose of their old computer equipment in a manner that’s tantamount to making private health and financial information available for the taking.

The No. 1 concern healthcare facilities should have when disposing of computers is minimizing risks, says Kathy Ferguson, business unit executive of asset recovery solutions within IBM Global Financing. “Because of HIPAA, the healthcare industry is maniacally focused on ensuring that assets that still have confidential patient information don’t get out into the marketplace where they could then be used in some negative way,” she says.

According to a recent telephone survey of business executives conducted by Granite Research Consulting on behalf of IBM Global Financing, 75% of health service industry respondents had organizationwide strategies for disposal of technological equipment, yet 95% rated highly the importance of proper disposal in light of data security and 83% rated managing environmental risks as a key consideration. Sixty-three percent of health respondents relinquished technology to computer disposal companies; 48% donated equipment to charity; 28% sold equipment to employees; and 30% opted to simply discard old equipment.

Practical Considerations
So what’s a healthcare organization to do with all that aging technology? Whatever the choice, do the job properly on an ongoing basis. Create a centralized, facilitywide strategy based on a review of the options and driven by considerations of needs, costs, and risk assessment. Don’t forget to address not only computers but also all peripherals, including CDs, zip disks, and floppy disks—anything that has a memory and stores data. Budget for the disposition of old equipment on an ongoing basis, dedicate staff to perform the administrative functions, and document your due diligence in securing data.

“Ask people how they’re handling their old computer system and you’ll find that they’re putting them in closets, under stairwells—they’re putting plants in them,” says Robert H. Knowles, CEO and founder of SecureCyber Destruction (formerly Technology Recycling). “But they’re not putting them in secure locations and logging who goes in and out and what they took.”

An employee, he notes, could take a 100-gigabyte disk drive and put it in the pocket of his or her pants. Clearly, he says, security must be addressed in the policy. While some businesses will be motivated more by financial incentives, many healthcare providers will put privacy and security issues far ahead of cost concerns. Nevertheless, many remain unsure of the rules and regulations and are heedless of liability. According to the IBM survey, “Interestingly, although companies rate data security as the number one concern of computer disposal, even over cost, most are not complying with regulations or truly protecting their customers’ privacy.” Methods of disposal must comply not only with international, federal, and state environmental regulations but also with privacy laws—the Gramm-Leach-Bliley Act, which protects the privacy of financial records, HIPAA privacy standards for personal patient information, and any applicable state privacy laws.

In addition to concerns about liability, discarding old equipment can be an expensive proposition. Whether companies recycle, sell, or destroy components, there are a number of tasks involved, each taking time and money. These tasks include updating inventories, filing paperwork, carting equipment, removing any needed data and eliminating the rest, packing, and shipping. Companies often underestimate the cost of donating or otherwise disposing, says Ferguson, who advises companies to do an in-depth analysis of what their organization spends to properly dispose of outdated equipment. The Gartner Group report suggests that the analysis include the per-computer costs for the service or in-house action, the administrative overhead costs linked to the disposal method (eg, donating, selling, destroying), and the public relations and financial repercussions of failing to properly dispose of equipment. Document your disposal efforts in case your organization is called upon to prove its efforts to protect data.

When selecting vendors for resale, sanitation, or disposal, insist on some form of certification of responsible and compliant handling and documentation of a clear chain of custody.

Recycling and Sanitation
Organizations may recycle computers in a number of ways and in the process either fail entirely to remove lingering private information or make misguided, insufficient efforts to protect information. Many, insists Knowles, “throw them away in dumpsters, which is illegal—environmentally illegal on top of HIPAA illegal.” Others, he says, are selling or giving them to their employees without taking steps to eliminate their sensitive data. “Can you imagine? Now my heart condition is in the hands of my neighbor who works at the hospital,” says Knowles.

Well-intentioned hospitals may donate computers and neglect to erase the disk drives. “They’d erase the directory but not the actual content of the computer, thinking it was safe,” says Richard C. Howe, PhD, vice president of IT consulting at VHA, Inc. (an alliance of not-for-profit hospitals, health systems, and their affiliates), “but there could still be patient record information on there that was very readable.”

Ferguson claims that most organizations that attempt to sanitize in-house use a “whole mish-mash of different solutions.” Most, however, use what’s called an F-disk—just formatting the drive. “That’s not a solution for ensuring that your data was overwritten,” she says. Yet, some sophisticated people believe it is. “I’ve had professors of computer science at major universities tell me that all you have to do is reformat the hard drive and the information goes away,” says Knowles. In response, he asks them, “What step in that process does the information leave the disk drive?”

Recycling old computers may be a matter of reselling them to other businesses, auction brokers, or, as Knowles observed, employees, or donating them to charities and other organizations. Some hospitals may recycle old computers within the facility. “They may get a new computer in a nursing station and recycle the old one to someone else in the hospital without cleaning the patient information off,” Howe says. The computer may be going to a department—such as materials management—that may not be expected to have an interest in patient records, so it’s recycled without taking any effort to clean off the hard drive.

There are two parts of the disk drive: the index, which tells you where the files are, and the actual files, explains Howe. “You need to destroy both of them to get the disk drive clean of information, yet many simply erase the index,” he notes. “It then appears that the information is gone, but in fact it’s still there.”

Many companies, says Knowles, are eager to donate equipment to such educational, civic, or charitable organizations as the Rotary Club, the Lions Club, or scout troops. “They don’t realize that it may then be sent to Turkey, Pakistan, China, or assorted other places, where people can now get their financial and medical information off it or use it to commit identity theft,” he says. These computers, he’s quick to point out, may contain not only private health information but also credit card, payroll, pension, and insurance information.

Hard Drive Disposal
Many of the strategies for destroying data, even those that are well-intentioned, have the potential to leave data for the next owner. According to an IBM white paper, “Hard Drive Disposal: The Overlooked Confidentiality Exposure,” “The only way, other than destruction and scrap, to prevent this kind of inadvertent file sharing is to sanitize the hard drive before it reaches its next owner.” Only two methods can get the equipment squeaky clean, says the paper. One is to erase the hard drive with the kind of bulk eraser (degausser) used for magnetic tape. Because that tactic essentially ruins the hard drive, it’s only an option for a machine that’s headed for destruction or the landfill.

The other method of wiping a computer’s slate is through data overwriting. Ferguson says IBM, which provides sanitization services to clients, “typically contracts to perform a 3X overwrite—the software program goes in and randomly writes Xs and Os over all the data on the hard file. It does that three times and makes a fourth pass over to ensure that none of the data is readable.” This, she explains, is known as a 3X overwrite process and is considered standard in the industry.

If computers to be donated are erased or overwritten, the operating systems are eliminated along with the data, which may make them undesirable to charitable organizations that would then have to spend a considerable amount of money to purchase software. To make them attractive to organizations, the donors would need to reload the systems as allowed by law in the relicensing agreement, which could be costly and time-consuming for the company that wishes to donate the machines.

How Clean Is Clean?
The effectiveness of sanitization procedures such as overwriting is to some extent a matter of opinion. Although most experts suggest that overwriting would satisfy liability concerns, others maintain that it’s just not enough. At one end of the spectrum of opinion is Howe, who’s satisfied that overwriting effectively eliminates risk. “By the time you do that, it’s pretty scrambled,” he says. “What are the odds of people trying to hack into something as long as you’ve made good faith efforts to scramble it? Could a spook tank with a million dollars unhack it? Probably, but why would they do that?”

Ferguson agrees. “Industries or agencies such as the Department of Defense that are engaged in high-tech weaponry contacts may use a 7X overwrite process, or even actual destruction of the devices, but the general consensus is that a 3X overwrite provides adequate protection against confidential information being retrievable or recoverable from those drives.”

Knowles counters these opinions, saying, “A recommendation to overwrite a drive 3X is a 20-year-old Department of Defense standard. It does not erase any data whatsoever. Instead, it camouflages the records on the disk drive because it simply puts Xs and Os around it… Overwriting does not remove the data.”

He also says the cost to recover records from a drive through a reputable forensic laboratory “is roughly $2,000. Software is available for the do-it-yourselfer for less than $500.”

Knowles contends that companies that take an approach other than true and complete disposal of old computer equipment will be in violation of privacy laws and maintains that recycling and overwriting creates a potential minefield of problems.

Practical Security
Redemtech, another company that offers disposal solutions, echoes Knowles’ fears. On its Web site, the company notes that its research “has shown that conventional erasure procedures are exceedingly error-prone. In audits of previously sanitized hard drives, we found that up to 24% of the drives still contained data. In addition to human error, our research discovered that many common sanitizing applications—including those approved for Department of Defense-compliant erasure—fail to completely secure all data in a significant number of cases.” “I don’t care if you use a magnet or a sanitizer software package—you cannot remove the data from a disk drive,” Knowles says. “Forensically, it can be restored.”

According to Russell Dean Vines, president and founder of RDV Group, Inc., a New York-based security consulting firm, and coauthor of the CISSP Prep Guide: Mastering the 10 Domains of Computer Security, most people mistakenly assume that standard practices actually delete information from a computer, which is not true.

Ferguson agrees “that to be 100% secure, you should hammer destroy the hard drive—break it down into a gazillion little pieces. But there’s a tradeoff between that 100% level of security and what’s practical. In the overwrite process, for someone to retrieve data from the drive, they would have to have very highly technical equipment and be on a mission to find some little bit of data that’s still recoverable.”

She uses an analogy to illustrate the levels of security. “If I had an old-fashioned file folder and you ripped off the tab that told you what the subject was, that’s effectively what a standard F-disk or file formatting does,” she explains. “If you then instead took all the papers out of the file, stuck it in your typewriter, and wrote Xs and Os all over it, and you do that three times, it’s going to be impossible to read what that is. But you could possibly take that piece of paper somewhere to a specialist with incredibly high technology equipment who would be able to figure out what was under there.”

When it comes to determining what’s adequate in terms of HIPAA, it’s difficult to say because the law requires reasonable efforts—a standard that’s open to interpretation. “My understanding of HIPAA requirements,” says Ferguson, “is that hospitals must take reasonable care to protect the data. So if you are engaging in a 3X overwrite, I’d define that as reasonable. If you’re totally negligent and dumping things in a dumpster and you’ve done nothing to protect data, that’s not taking reasonable care.”

In-House or Outsource
According to IBM’s survey, 90% of healthcare service industry respondents perform sanitization of hard drives internally, and only 5% rely on a third party. Yet, to do the job right requires a great deal of time and allocation of resources. Ferguson says it’s possible to acquire overwrite programs, but they take 50 to 80 minutes per drive, so there’s a cost and time factor for a hospital with many computers. IBM and other third-party asset disposition vendor companies provide sanitization services, as well as reselling services, that may not only save considerable internal resources but also provide protection against liability and confidence that the process is being done in full compliance with all regulations, especially in an era of constantly changing standards.

According to the Gartner Group report, “In the United States, no national mandates exist for the disposal of computers, but 50 pieces of legislation are pending in 24 states, and most of them are different.” Because the stakes are so high, great care should be made in selecting a vendor.

IBM processes more than 35,000 tons of returned equipment every year. The company offers disposition services to help customers optimize their used or surplus equipment disposal, providing sanitization services to minimize risk as well. It contracts with its customers to help them remarket or scrap their assets and also help them with the overwrite services. “We have an internally developed program and it meets what’s known as industry standards or Department of Defense standards for high security,” says Ferguson, who notes that the company is typically engaged to do the overall equipment disposition. It may sanitize the equipment, then sell the assets and split the proceeds with the client at a negotiated rate. For equipment that has no value, it will handle the equipment scrapping for a fee, destroying it at a rate calculated in cents per pound—approximately $10 for a typical 40-pound computer.

Destruction
According to the Gartner Group report, “If costs associated with disposal and secure sanitization of hard drives will exceed the proceeds from selling the equipment, they [hospitals] should look at total destruction as the primary option for disposal.” Because their computers are very old and may have no value even for donation, some of the VHA member hospitals are taking it upon themselves to destroy their old computers. Howe says they take out the disk drives and literally smash them with a sledge hammer and then dispose of the hardware according to Occupational Safety & Health Administration standards. No one, he says, can hack into a disk drive that’s bent, broken, and inoperable. And because it’s also quick and inexpensive, he describes it as one of the best ways to dispose of equipment.

Like the sanitization process, destruction can be time-consuming and deplete staff resources. Many facilities choose instead to outsource complete destruction of their old equipment, and some find it a more cost-effective and risk-free option than donation.

Since 1998, SecureCyber Destruction has disposed of more than 1 million pounds of old computer equipment. Unlike other companies that refurbish and resell computer components, SecureCyber Destruction completely demolishes computers and peripherals and reprocesses glass, plastic, and metals for reuse. It offers local pick-up in 200 cities across the country, stores all systems in a highly secure area before disposal, and provides a clear chain of custody and certification of complete disposal. For $40 or less per unit, the company takes your computer and grinds it up and melts it down so nothing can be recovered. “I pick up the equipment at the point of origin,’” says Knowles, “because that’s where I certify it from. There are no drop-offs because I don’t know what happened from the point it left the warehouse to when it’s dropped off.”

Hospitals will need to evaluate their options based on their needs and resources. Each may take a different route, but on one point, there’s no wiggle room. Until now, hospitals may have ditched and dumped old computers with few cares. “But with the new HIPAA laws,” warns Howe, “they really have to pay attention to it now.” His advice is simple: “If you’re going to donate, sell, or recycle a computer, make sure that the disk drive is clean, clean, clean. Nothing on it. Absolutely clean!”

— Kate Jackson is a staff writer for Radiology Today.

Subscribe to Radiology Today Magazine!

Radiology Today Cover Image
Copyright © 2007 Great Valley Publishing Co., Inc.
3801 Schuylkill Rd • Spring City, PA 19475
Publishers of Radiology Today
All rights reserved.