The Danger of (In)destruction

Jun 1, 2007 12:00 PM, By Ashley Roe

A year ago, electronic data disposal at Memorial Hospital in Pawtucket, R.I., was rather primitive in light of current Health Insurance Portability and Accountability Act (HIPAA) data security standards. The hospital staff would gather their retired computers and laptops and place them behind the facility on a pallet for pickup and transport to either the local recycling plant or the landfill. Prior to sending off the machines, the internal hard drives would be extracted and go through a minor destructive process involving a hammer and being placed in the trash. Dennis Owens, Memorial Hospital's director of environmental services, says that the hospital staff did not yet understand the extent of typical data disposal procedures. “E-waste destruction practices really only came on the horizon about a year ago, and then it started becoming clear to us that people could actually get their hands on our data with the disposal practices we were using,” he says.

Chris Adam, director of NextPhase Services at Converge Global Trading Exchange, Peabody, Mass., calls the hospital's prior disposal process “really ugly” in terms of today's data destruction practices. “Once the machines were picked up, the hospital staff had no record of where they would end up, and the same went for their hard drives being left in the trash. Taking a hammer to them is not enough to ensure destruction.”

The International Data Corp. (IDC) reports that more than 40 million PCs were retired in 2006. Adam estimates that about 15 percent of the 40 million machines came from hospitals and health care organizations. But before disposing of their machines, did the organizations take appropriate precautions to destroy their sensitive contents?

According to HIPAA section 164.310, which addresses physical safeguard practices for electronic data stored on machines, health care organizations must:

• implement policies and procedures to address the final disposal of electronic protected health information and/or the hardware and electronic media on which it is stored;

• implement procedures for the removal of electronic protected health information from electronic media before the media are made available for re-use; and

• maintain a record of the movements of hardware and electronic media and any person responsible for the disposal process.

Carrying out these procedures takes more than simple destruction practices or moving arrangements for end-of-life machines. Health care organizations must realize the importance of compliance with these standards because of the consequences that could occur when failing to comply. “Organizations that do not comply might experience extensive monetary fines,” Adam says. “In addition, brand equity damage might occur if the improper disposal results in a security breach that makes the headlines involving your brand.” On an environmental note, organizations that do not practice proper destruction of their machinery might actually increase pollution.

Yet, Adam notes that a gray area exists when determining which procedures comply with disposal standards. “The compliance environment is still evolving when you're dealing with end-of-life machines, and best practices for disposal are still being defined,” he says. “Currently, electronic data disposal practices are all over the place.”

Converge's NextPhase Service is an asset management service designed to help businesses and organizations determine the residual value of their retiring machines and safeguard the data contained on those machines at the end of their lifecycle. Memorial Hospital began using a pilot version of the service last summer.

The service begins with a consultation, during which NextPhase representatives help the organization understand the current state of their data destruction practice and articulate the risks and implications involved with it. “In the case of Memorial Hospital, we really had to talk to them about the danger zone they were playing in,” Adam says. Even though a significant data breach or fine had not immediately resulted from their current practice, Adam says it could still happen years down the road. “We then determine who the necessary people are within the organization that would be responsible for carrying out this process,” he says. Chief technology officers, chief information security officers and IT departments are generally the “go-to” individuals.

After defining the organization's tolerance level for risk, which is in many cases, zero, NextPhase representatives develop a plan for proper data disposal. Adam explains that the organization must examine an economic equation and determine if the residual value of the retiring devices warrant full destruction or a simple data erasure. “Then, we will make arrangements to either destroy the end-of-life machines and devices completely or conduct full data wipes and re-market the equipment,” he says. “Re-marketing that device for use often times mitigates costs.”

Throughout the destruction or erasure process, organizations receive daily updates noting the current stage of their asset disposal through an online client portal, accessible on the NextPhase Service Web site (nextphaseglobal.com). When the process is complete, the organization is issued an official certificate of data erasure as proof of their data destruction.

Compliant data destruction practices are not just specific to health care organizations. Adam says he finds that many Fortune 100 companies are not properly prepared to handle the process. “Many of them just don't understand what is involved in compliance or even who is supposed to be in charge,” he says. “That is why we start out as consultants. We help the company or organization understand.”

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

This month in Access Control

• Targeting The Customer
• Electronic Pedigrees
• One Hero Among Many
• Who? What? When? Where? Why?
• More from September's issue