Avoid being the next data-security-breach headline
By Jim Kegley, September 2010
While larger budgets provide healthcare managers with unique opportunities for technology advancements, few people are paying attention to their largest data security weakness — old IT.
For healthcare management managers and executives, it almost seems impossible. Everyone is buying fancy new biometric scanners, fisheye lenses and other security devices. They're upgrading to the newest encryption techniques and working every day to secure information against loss — and yet, in first quarter 2010, the Open Security Foundation recorded over 30 data loss incidents by healthcare groups.
The problem isn't that people aren't working hard enough. The problem is that the vast majority of IT capital is going to the latest and greatest internal security, even though 85 percent of security breaches occur off-network. So how do you cover the gap? Proper IT asset disposition, also known as ITAD.
Don't just throw money at IT
Although Applied Management Systems (AMS) reports that healthcare IT departments are securing larger budgets overall, the fact remains that demands on the IT workforce are increasing at a similar pace. As IT advances and electronic charting becomes increasingly popular, most of the budget increases within healthcare management groups are spent on the time-consuming process of designing new internal standards, integrating new technology and maintaining new assets.
But replacing all your old stuff with the latest and greatest IT assets creates more chances for data exposure, as the older, unused equipment is ushered out the back door to its final resting place.
So, while larger budgets provide healthcare managers with unique opportunities for technology advancements, few people are paying attention to their largest data security weakness — old IT.
Before contributing to the chaos with more money for more IT assets, take a second and make sure that you are focused on closing the gap with top-notch security for your off-site ITAD. Only after securing your disposition process can you buy new IT assets with the complete confidence that your old ones are not exposing you to danger.
Unfortunately, as long as no one exposes your data or reports security problems, existing problems with ITAD can lurk beneath the surface, going unnoticed for years. Often, this fools management teams into a false sense of security. Nothing could be further from the truth. As more and more assets are replaced, there are more and more opportunities for data exposure.The reality is that most breaches occur offline, where the least amount of attention is paid.
And the costs associated with even a single security data breach are simply too high to risk. Consider the following situation:
• 57 hard drives were stolen from a secure BlueCross of Tennessee location.
• BlueCross had to notify 32 state attorney generals.
• BlueCross has already spent over $7 million on the discovery process.
• This single event could cost over $200 million and years of work before it is over.
• BlueCross must notify thousands of customers that their information has been lost or exposed.
If this seems like an extreme case, think again. BlueCross was not violating any standards, procedures or laws when the hard drives were stolen. Rather, the drives were sitting in storage, waiting for someone to finish the IT disposition process.
And, even though BlueCross lost 57 hard drives, even small amounts of lost data can quickly become costly. On average, each lost or exposed customer record costs $202.
Start working now
So how can proactive healthcare management executives assure themselves that they will not end up in the same situation as BlueCross, potentially paying out hundreds of millions for a single security breech? One simple rule: Verify that data is wiped before assets leave.
One of the biggest problems with proper ITAD in healthcare management environments is the belief that simply telling people to wipe or destroy data means it will actually happen. But the truth is that employees are trained to do their jobs, and may not know how to properly track and dispose of IT assets, a process well outside of standard IT management experience.
The only way to ensure proper disposal is by following these steps.
Step 1: Keep it professional
• Using current employees can be an effective way to wipe data and track assets, but consultants are often needed to help establish strong procedures and controls. Never sub-contract the actual ITAD services to a staffing agency or similar group. Only fully trained employees should touch your old assets.
• Teaming with a vendor is a powerful way to eliminate the overhead of training and monitoring for ITAD off site. However, be mindful in selecting a partner.
• Forty-four percent of all data security breaches in 2008 were the fault of third parties. The HITECH Act holds healthcare organizations financially responsible for third-party errors, and fines can reach $50,000 per infraction. Avoid these problems by selecting bonded, ensured vendors with proven track records. Avoid any group that sub-contracts work to others.
Step 2: Lock it down
• Wiping and shipping IT assets is not as simple as counting assets before, during and after each step of the process. Each piece of equipment must be identified and tracked individually, every step of the way. Getting it right takes experience. This is one reason why many groups choose to work with vendors that have already established strong controls.
• The fastest and most reliable way to accomplish this is with electronic verification. Use a robust, redundant system that records the status of each unit as it moves through the steps. Make sure that it automatically alerts employees to potential errors.
• At each step and before assets leave the site, managers should verify inventory lists and bills of lading to ensure that numbers are accurate.
Step 3: Sweat the small stuff
• While most people are mindful to ensure that all data is wiped from hard drives in computers and laptops, many forget that cell phones, fax machines, scanners, printers and USB drives can all carry sensitive information.
• Fax machines, scanners and printers all store complete images of recent documents.
• iPhones can hold up to 32 GB of customer documents.
• Phones are frequently replaced, because everyone wants the latest and greatest smartphone.
Step 4: Ship it right
• Whether using on-site employees or a vendor, be sure that assets are shipped according to a secure schedule rather than whatever is convenient for the shipping company. Assets should be moved soon after they are wiped and sent only through specially secured lines. FedEx and UPS both provide specific, secure services.
• Some vendors include shipping in their services package, which is a fantastic convenience. However, before sending assets out the door be sure that drivers are not sub-contractors.
Do not relax
Once processes have been improved or a vendor has been selected, organizations can rest assured that their processes are stronger than ever. But they cannot be sure that all will remain well. Regular vigilance is still necessary.
Between 2007 and 2009, 75 percent of security breaches at one multinational healthcare company were caused by fraud and/or failure to follow procedure.
Avoid being the next headline. Every quarter, invite a third party to verify the following aspects of your disposition process:
• Technology used to wipe, verify and track assets.
• Compliance with established procedures and protocols.
• Employee competence and training.
• Do not, under any circumstances, think that internal reporting is enough to solidify your security strategy. Self-reporting is almost always fraught with problems. Have a trusted, accredited third-party provider perform all security audits.
• Of course, this same standard should be applied to any vendors you work with. On top of the audits mentioned above, ITAD companies should be able to provide on-demand access to independent, third-party information about employee criminal records and any assets in their possession.
Security-conscious members are taking control by establishing and verifying new procedures and controls or teaming with a high-quality ITAD vendor.
Jim Kegley is CEO and founder, US Micro Corporation.
For more information on US Micro Corporation solutions: www.rsleads.com/009ht-201