October 24, 2011
At Your Disposal
By Maura Keller
For The Record
Vol. 23 No. 19 P. 8
A decade ago, it would have been commonplace to walk through the utility storage area of a major hospital and see carts of old computers being ‘stored’ until they were properly discarded.
Fast-forward to 2011, and you’d be hard pressed to see such haphazard treatment of computer devices that house vital, private information—or that’s the hope at least. Teeming with patient data and proprietary information, computer equipment from healthcare facilities needs to be properly disposed of to protect patients, providers, and the healthcare organization at large.
From Treasure to Trash
According to Jim Kegley, president and CEO of U.S. Micro Corporation, the need for proper computer disposal is greater today than at any other point in time, primarily as a result of the HITECH Act. As Kegley explains, the act, which expanded HIPAA privacy and security protections and mandates healthcare organizations to notify patients when their information is breached, requires hospitals and healthcare providers to safeguard patient data, particularly at the most vulnerable stage of an asset’s life—the end.
“Hospitals are also seeing an explosion of data-bearing technology devices, including more mobile forms of devices, as a result of the HITECH Act, which are intended to increase the use of electronic health records by physicians and hospitals,” Kegley says. “Consumers and patients now expect a higher standard of data security as there is a greater overall awareness by the patient community of the negative implications of a breach on their personal information.”
Indeed, as hospitals implement HIT systems and quality and safety management programs, new computers are usually part of the update.
“So what happens to the old systems?” asks Liz Walker, vice president of marketing and business development at Image Microsystems, Inc. “These idled assets pose a series of problems. First, old computer equipment piled up in a storeroom is not a sustainable model. You are possibly paying property tax on idled IT assets, you may have software licenses that need to be redeployed, etc. Secondly, most hospital computers are filled with sensitive personal health data. Managing those old computers in compliance with HIPAA guidelines necessitates proper security and/or disposal—data wiping—of personal health information.”
Mistakes Being Made
Healthcare facilities continue to make mistakes when it comes to the proper handling of retired computer equipment.
“Recently, BlueCross and BlueShield of Tennessee had hard drives that were stolen while awaiting shipment to a destruction vendor. This highlights the importance of securing the data on all devices upon retirement,” Kegley says. “Data breaches cost healthcare organizations nearly $6 billion annually, according to the “Benchmark Study on Patient Privacy and Data Security.” The report also found each data breach costs $2 million per organization over a two-year period.”
How do such significant oversights occur? As Kegley points out, hospitals, which historically have understaffed IT departments and face constant pressure to reduce costs, are oftentimes guilty of not committing people and financial resources to manage patient data contained in a retired asset.
“As an example, a hospital may not commit the in-house IT staff resources necessary to perform Department of Defense [DoD]-compliant multipass data-cleansing specification hard drive wipes on PCs at the time of retirement but opt to allow this important function to occur off site at a vendor’s location,” Kegley says. “While this decision may save on precious in-house IT staff time, a hospital has now exposed itself to greater liability if a PC is lost or stolen in the transportation process or while stored at the vendor’s facility.”
And as Walker points out, some hospitals have actually sold their old systems to recyclers that pay for them by the pound.
“This is very bad news,” she says. “Recycling of computers properly costs money. So if an entity offers a hospital a price per pound for their old computers or offers to recycle them for free, then the hospital should be very alarmed. These recyclers typically sell those computers to emerging markets without proper data sanitization. Some hospitals have actually landfilled old computers. And believe it or not, some have actually incinerated their old computers.”
Steps to Take
According to Kegley, there are two important considerations to make when disposing of computer technology. The first is ensuring that all data are wiped in accordance with a DoD or National Institute of Standards and Technology standard at the time an asset is retired. Healthcare facilities should also resell or recycle all computer equipment in accordance with federal, state, and local laws.
“Many technology devices can be resold on the secondary market, particularly devices less than five years old,” Kegley says. “Devices older than five years typically do not have legitimate resale markets and should be properly recycled by a qualified provider.”
What’s more, the types of technology should determine the ways in which a device should be disposed of.
“As an example, many hospitals are still unaware that most copiers purchased in the last seven years contain hard drives that store data,” Kegley says. “If a hospital is not aware that particular devices have the ability to store data, they might allow these devices to be resold upon retirement into the secondary market, thereby exposing themselves to a costly breach.”
Determining whether a hospital is properly discarding retired equipment generally should begin with an in-depth analysis of policies and procedures.
“A good overall guiding principle should be to never allow hospital data to leave the hospital and have a process to ensure compliance with this policy for every device that is retired,” Kegley says. “After developing its policies and procedures governing computer disposal, a hospital can then evaluate whether to perform many of the functions related to disposal using its own staff, engaging a highly qualified IT asset disposal [ITAD] service provider, or a combination of the two.”
Options exist for hospitals to create security-conscious disposal programs that can be cost-effective or even produce net monies. ”However, hospitals must be particularly concerned with not taking shortcuts or trying to avoid legitimate costs when retiring technology assets,” Kegley says.
Walker adds that responsible IT recycling partners charge a fee to pick up old computers, wipe the disk drives to DoD specifications, and remove asset tags, among other services.
“This fee is generally offset by a revenue-sharing agreement between the hospital and the recycler,” Walker says. “If the computer or components can be repaired for resell, then a revenue-sharing agreement provides money back to the hospital.”
Donating the computers to a nonprofit organization is another option.
“However, it needs to be done in a process-driven, thoughtful way,” says Angie Singer Keating, CEO at Reclamere. “For instance, if a hospital uses their computers past about three years, those devices really are not of value as donations. All that has been done is transferring the burden of disposal to a nonprofit that probably has even less resources to properly dispose of the material. Also, proper data sanitization prior to the donation is crucial to avoid a data breach, but proper data destruction will also eliminate the operating system on the device. For most average users, a computer without an operating system is little more than a boat anchor. Microsoft is very strict about the transfer of licensing with equipment and unless the media is also donated, there really is no inexpensive or easy way to reload the computer with an operating system so it can be used.”
When selecting a vendor to handle proper computer disposal, hospitals should research a company’s financial viability, track record, and operating procedures.
“Ideally, search for a provider that performs all of the services required without the use of subcontractors,” Kegley says. “Many companies offering ITAD services do not actually perform the work themselves, including many computer manufacturers. You certainly would not expect to take your Mercedes to the dealership you bought it from for repairs only to discover the repairs were made by a local repair shop. Guard against discovering too late that the company you selected to dispose of your computer equipment is relying on subcontractors and/or other companies along the way.”
Hospitals should contact organizations such as the Reverse Logistics Association, the Institute of Scrap Recycling Industries, or R2 Solutions to find electronics recyclers that are members in good standing and/or certified to R2 standards. They should also look for a partner that is ISO 9001:2008, ISO 14001:2004, OHSAS 1800:2007, and R2 certified.
“Industry certifications are great,” Walker says. “The National Association for Information Destruction [NAID] has a certification program with real teeth.”
Independent auditors inspect NAID-certified facilities annually and conduct unannounced visits as well. Having an industry watchdog monitoring your vendor can be a huge help in due diligence.
Additionally, seek a recycler that provides open indemnification for data leakage.
“They also should maintain the proper amounts of data security and pollution prevention insurance,” Walker says. “If [healthcare organizations] also could find a recycler that can actually make products out of e-waste, then they have the total confidence that their material will never end up in a landfill.”
— Maura Keller is a Minneapolis-based writer and editor.