Technology
IT ENewsletter
Events
Sponsored Content

Sneakin’ Out the Back Door: The Information Privacy Risks of IT Asset Retirement

C. Brooks Hoffman, for HealthLeaders IT, May 15, 2007
Data security has become an extremely important issue within the healthcare industry ever since the revision of HIPAA’s privacy provisions in 2002. Hospitals, clinics, and other healthcare providers have joined the growing number of organizations that are focusing on data security. For example, it is estimated that spending on security software reached $50 billion globally in 2005. While most organizations have concentrated on preventing outside intrusions into their networks, there has been comparatively little attention focused on protecting information that leaves the organization on retired information technology assets.

This concern is not merely theoretical, as illustrated by two examples where data that was compromised due to improper disposal of media storage equipment:
  • An employee of the Tampa, Florida Health Department stole a computer disk containing the names of 4,000 people who had tested positive for HIV.

  • A Nevada woman who purchased a used computer discovered that it still contained the prescription records of the pharmacy that had previously owned the PC. The hard drive contained a list of names, addresses, social security numbers, and all of the medicines purchased by customers.


Unauthorized disclosure of Protected Health Information in this manner almost certainly constitutes a violation of HIPAA--resulting in fines of up to $50,000, as well as imprisonment for up to one year. In addition, the inadvertent release of sensitive data may also violate a number of other recently enacted federal privacy laws--including the Fair and Accurate Credit Transactions Act and the Gramm-Leach-Bliley Act.

Violation of these laws can result in substantial criminal and civil penalties as well as significant negative publicity. In January of this year the Federal Trade Commission announced a consent judgment against consumer data broker ChoicePoint, Inc. The company admitted that the personal financial records of more than 163,000 consumers in its database had been compromised. Under the terms of the agreement, the company agreed to pay $10 million in civil penalties and $5 million in consumer redress to settle charges that its security and record-handling procedures violated consumers’ privacy rights and federal laws. The settlement also requires ChoicePoint to establish and maintain a comprehensive information security program and to obtain biannual third-party audits by an independent security professional for the next twenty years.

In this context, it is critical that healthcare organizations be mindful of data security risks when recycling old computer equipment. Here are some initial questions to consider when assessing the data privacy safeguards that govern your organization’s IT asset retirement program:
1. Have you put in place the necessary procedures and controls to check the efficacy of the entire data destruction process from transportation through actual destruction? Is the process audited by a third party? How does your organization monitor chain of custody? Do you obtain photographic evidence to verify that the data has been destroyed?
2. Does the potential resale value of the retired assets offset the potential costs of a breach of data privacy? In order to maximize information security, many organizations prefer to recycle all of their end of life IT assets regardless of residual value. For example, New York Presbyterian Hospital recently purchased a pneumatic press that crushes computer hard dives prior to disposal.
3. Should you perform your data destruction activities in-house? There are two basic methods available: physical destruction and software destruction. Physical destruction involves either degaussing the storage media by using a magnet or physically deforming it in some way to prevent normal operation. Physical hard drive destruction equipment is commercially available from companies such as Shred-Tech or SEM. Software destruction involves overwriting the data by filling the hard drives with zeros. There are number of commercially available software programs--including Kroll-Ontrack's "Data Eraser" and LSoft's "Active Kill Disk."

Faced with competing internal priorities and limited resources, an increasing number of organizations have chosen to outsource the retirement of their IT assets. However, this decision may ultimately put the company at even greater risk if they rely on consignment organizations with no expertise in data security or sham recyclers who offer "free" recycling.

In evaluating potential asset retirement vendors, it is important to ask what physical and/or software destruction capabilities they have. All candidates should possess a baseline capability of data destruction that meets Department of Defense 5220-M standards. Other important questions to ask include the following:
  • Do they undertake a sampling process and/or disk inspections via computer forensics?

  • What kind of on-site security systems are in place at their facilities in order to ensure protection of your equipment?

  • Does the vendor maintain an errors and omissions insurance policy in the event that some of your data is accidentally disclosed?


Lastly, it is critical to assess whether the prospective vendor has your organization’s best interests in mind. Are they motivated to provide the appropriate services, or are they simply looking to profit from a quick resale of the equipment being retired?

Managing the data security risks inherent in your organization’s IT asset retirement program does not have to be difficult or expensive. However, it does require IT executives to:
  1. Educate their organizations on the importance of maintaining information privacy

  2. Develop programs that effectively mitigate risk

  3. Implement and monitor these programs to ensure compliance and effectiveness


C. Brooks Hoffman is V.P. of Finance & Operations of LifeSpan Technology Recycling, a managed services company that provides electronic asset retirement services to corporations, municipalities, and not-for profit organizations. Hoffman may be reached at info@lifespanrecycling.com.

You can contribute to HealthLeaders IT. Read our editorial guidelines to find out how.