June 11, 2007
Mountain of Trouble
By Robbi Hess
For The Record
Vol. 19 No. 12 P. 30
Proper disposal of retired electronic equipment entails more than tossing them in the scrap heap. Otherwise, healthcare organizations could be in a…
“Out of sight, out of mind” is not the way to go when taking computers—and the electronic records stored within—offline. An audit trail of computer equipment, hard drives, PDAs, and even CDs and DVDs should be implemented when the piece is put into service and tracked through to its eventual destruction or storage.
Management Practices
Robert Houghton, president of Redemtech, a technology change management company, says asset management is as important in small facilities and doctors’ offices as it is in large healthcare organizations.
“HIM and IT professionals need to know how to control the movement of the assets, and it could be as simple as putting together an Excel spreadsheet, inputting identifying information about the equipment, and following it throughout the facility and through to its being taken offline,” he explains. “What we are talking about is off-network data security.”
Most organizations—and certainly healthcare facilities— spend a great deal of time and effort maintaining the security and integrity of their networks by encrypting data and password-protecting computer systems, making it virtually impossible for someone to break into a hospital network. But, Houghton says, once a system or a specific device is turned off for the last time and taken offline, the security measures used to control and/or destroy that data are significantly less sophisticated than the effort spent on the network itself.
“Offline equipment is treated like the poor stepchild, and at Redemtech, we are spending time educating clients on the necessity of follow through when taking equipment offline and are helping them improve processes around this area,” he explains.
Until recently, offline security has been an afterthought. But with increased awareness of and adherence to HIPAA regulations, there has been a major push for healthcare organizations to focus on securing their networks, even when they are no longer in use.
“Offline data security, in some instances, is simply an arcane notion,” Houghton says. “That is why we see a lot of breaches of security around the off-networked data. In my opinion, this issue will be more in the public eye in the next couple of years.”
When it comes to conventional practices, Houghton believes that one in four facilities aren’t truly verifying the complete sanitization of hard drives. What that means, he says, is that others could still potentially recover data from a supposedly fully sanitized computer by simply downloading software from the Internet.
“The reason for that is because there was a process failure during the sanitization procedure,” he explains. “Those process failures are the reason [why] verification and documentation [of the cleansing of the equipment are] critical. If you have a machine that is erased properly and verified fully, it is impossible to recover any information from that machine.”
If an HIM or IT manager has ensured that a machine is erased utilizing best practices, has controlled the security of the inventory throughout its lifespan, and maintained the document trail to prove it was erased, the chances of a security breach—and the problems associated with that breach—are as close to zero as can be assured.
Angela K. Dinh, manager of professional practice resources at the AHIMA, says, “AHIMA always supports that HIM professionals need to adhere to industry standards when it comes to HIPAA security. There are key staples of security destruction—a policy, a point person, method of destruction, and an accounting [log] of the destruction should be maintained. Beyond that, HIPAA rules leave it up to the individual organization to define its procedures.”
Having the policy, point person, method of destruction, and a log is the facility’s proof that they have “addressed security and are maintaining it to the levels they have set forth,” Dinh explains.
How Clean Is Clean?
One of the most important points, according to Houghton, is that in order for data destruction to be effective, it has to be viewed as a process—one that begins as soon as a computer is taken off the network.
“There should be an inventory control process that followed the life of the equipment from its introduction into the facility to its removal from the network,” Houghton says. “If you look at it from the point of view of a hospital, their concern with security breaches is that they will occur when the asset bearing the data is still on hospital or clinic premises. But a good policy and procedure for taking the asset offline and being either stored or destroyed needs to start immediately with the asset being removed.”
There needs to be a paper trail pertaining to not only the nature of the asset but also where it is being used within a facility or where it is being stored once it is removed from service.
“When a vendor comes to pick up the computer for either destruction or resale, that transaction should generate an additional piece of tracking information,” Houghton says. “It may be operationally intensive, but maintaining inventory control is an essential and required part of a good data protection practice that drives accountability.”
There are a number of products on the market that disable access to data on a hard drive on a temporary basis to safeguard critical data when a piece of equipment is in transit. There are also ways to place “software locks” on a hard drive to prevent access to data. However, these safeguards should not be considered a substitute for full data erasure.
Houghton says there are several viewpoints on the best method to destroy data. He believes the most reliable is to overwrite the data—a process in which data (mostly 0s and 1s) are written over the top of confidential information.
“This process effectively destroys the information and, in our opinion, is the most reliable because it uses the technology of the hard drive to overwrite the existing information,” he explains. “With nearly any process, there is always a level of unreliability because of human error. Redemtech systems have been enhanced to remove some of the level of human error. Our technology puts emphasis on the fact that some percentage of data destruction will encounter some trouble so we need to be 100% certain that data is deleted, and overwriting it is the best practice.”
The Bottom Line
Dinh says HIPAA security concerns have made the industry more aware of how to effectively store and destroy documents, while recognizing the need to address it both online and offline.
She also cautions that security isn’t only electronic. “Facilities need to do system assessments because security involves not only passwords on electronics but also includes locking workstations, windows, [and] doors,” she explains.
Most healthcare facilities are vulnerable to security breaches, but Houghton says simple inventory tracking is a relatively easy practice to put into place. When seeking a vendor to destroy data on a hard drive, healthcare organizations should seek a company that describes its process in detail and provides documented proof of how it destroyed the data.
“There should be a detailed, procedural explanation of what the company’s practice is for destruction,” Houghton says. “In an ideal scenario, you’d want to send someone to the facility to audit their practices. One out of every four of our customers comes in and makes us prove what we do, and we encourage those visits. There are also customers that will put out the hard drives that we have sanitized and send it to a third-party data forensics team to make certain it is clean.”
Once a facility receives the proof that the hard drives have been erased, it matches that with its inventory list and the loop is closed.
— Robbi Hess, a journalist for more than 20 years, is a writer/editor for a weekly newspaper and a monthly business magazine in western New York.
Who handles data destruction at your facility? Speak about its significance at www.ForTheRecordmag.com/forum.
Data Security and Asset Management Tips
According to a poll conducted by Harris Interactive, the compromise of corporate information systems topped the list of crisis situations that worried corporate executives. Yet, security breaches continue to plague businesses.
Not only are more companies experiencing data breaches, a surprising number are repeat offenders. According to the IT Compliance Group, 68% of companies are losing sensitive data or having it stolen out from under them at least six times per year. An additional 20% are losing sensitive data 22 or more times per year.
Largely overlooked amidst all the media coverage is how many breaches occur after computers or other data-bearing assets have been removed from the network. According to the Ponemon Institute LLC, off-network security is the source of 75% of data breaches. A recent study of 550 security breaches by the University of Washington came to a similar conclusion. It found that 61% of breaches were the result of corporate mismanagement of data or data-bearing assets compared with 31% resulting from malicious hackers.
Clearly, data is at significant risk when computers are disconnected from the network. Off-network assets are particularly vulnerable when the following situations exist:
• Decommissioned assets are stored on site. Many organizations keep rooms full of idle data- and software-bearing assets in unsecured storage, draining value and increasing the risk of loss or theft.
• Inadequate chain-of-custody controls are in place for assets in transit. According to the Ponemon Institute, roughly 30% of reported security breaches originated with external partners, consultants, outsourcers, or contractors. Assets in transit are particularly vulnerable.
• Inadequate data destruction processes are used. Data destruction methods often fail to fully and verifiably sanitize sensitive data on computers being remarketed or recycled. A recent report from the University of Glamorgan in the United Kingdom analyzed more than 300 secondhand disks and found that 50% contained information that could identify an individual or organization. Even using U.S. Department of Defense-compliant hard drive erasure processes can result in one of four disks still containing data due to human error or application failure. Alternative methods such as degaussing or physical drive destruction are unreliable, destroy the value of the asset, and increase e-waste. Even when drives are hammered or drilled, data may still be accessible.
Solution
Data security has become a business issue, not just an IT issue. Protecting off-network assets involves more than erasing drives. It is a process that must include inventory tracking, physical security, chain-of-custody controls, and process verification. According to technology change management company Redemtech, best practices for securing off-network assets include the following:
• serialized chain-of-custody tracking from deinstallation through final disposition;
• asset recovery discipline to prevent the unsecured stockpiling of idle assets;
• full encryption, locking, or erasure of data-bearing assets prior to transport;
• strict in-transit controls, including inventory audit;
• certified data destruction, including verification and error-checking processes for each serialized asset and a data security repository for auditable proof downstream; and
• monitoring compliance with enterprise security policies and all critical risk-mitigating functions.
— RH