dreds of millions for a single security breech? One simple rule: Verify that data is wiped before assets leave. One of the biggest prob- lems with proper ITAD in healthcare management en- vironments is the belief that simply telling people to wipe or destroy data means it will
Jim Kegley is CEO and founder, US Micro Corporation. For more information on US Micro Corporation solutions: www.rsleads.com/009ht-201
actually happen. But the truth is that employees are trained to do their jobs, and may not know how to properly track and dispose of IT assets, a process well outside of standard IT management experience.
The only way to ensure proper disposal is by following these steps.
Step 1: Keep it professional • Using current employees can be an effective way to wipe data and track assets, but consultants are often needed to help establish strong procedures and con- trols. Never sub-contract the actual ITAD services to a staffi ng agency or similar group. Only fully trained employees should touch your old assets.
• Teaming with a vendor is a powerful way to eliminate the overhead of training and monitoring for ITAD off site. However, be mindful in selecting a partner.
• Forty-four percent of all data security breaches in 2008 were the fault of third parties. The HITECH Act holds healthcare organizations fi nancially responsible for third-party errors, and fi nes can reach $50,000 per infraction. Avoid these problems by selecting bonded, ensured vendors with proven track records. Avoid any group that sub-contracts work to others.
Step 2: Lock it down • Wiping and shipping IT assets is not as simple as count- ing assets before, during and after each step of the process. Each piece of equipment must be identifi ed and tracked individually, every step of the way. Getting it right takes experience. This is one reason why many groups choose to work with vendors that have already established strong controls.
• The fastest and most reliable way to accomplish this is with electronic verifi cation. Use a robust, redundant system that records the status of each unit as it moves through the steps. Make sure that it automatically alerts employees to potential errors.
• At each step and before assets leave the site, managers should verify inventory lists and bills of lading to ensure that numbers are accurate.
Step 3: Sweat the small stuff • While most people are mindful to ensure that all data is wiped from hard drives in computers and laptops, many forget that cell phones, fax machines, scanners,
printers and USB drives can all carry sensitive informa- tion.
• Fax machines, scanners and printers all store complete images of recent documents.
• iPhones can hold up to 32 GB of customer docu- ments.
• Phones are frequently replaced, because everyone wants the latest and greatest smartphone.
Step 4: Ship it right • Whether using on-site employees or a vendor, be sure that assets are shipped according to a secure schedule rather than whatever is convenient for the shipping company. Assets should be moved soon after they are wiped and sent only through specially secured lines. FedEx and UPS both provide specifi c, secure services.
• Some vendors include shipping in their services pack- age, which is a fantastic convenience. However, before sending assets out the door be sure that drivers are not sub-contractors.
Do not relax
Once processes have been improved or a vendor has been selected, organizations can rest assured that their processes are stronger than ever. But they cannot be sure that all will remain well. Regular vigilance is still necessary.
Between 2007 and 2009, 75 percent of security breaches at one multinational healthcare company were caused by fraud and/or failure to follow procedure. Avoid being the next headline. Every quarter, invite a third party to verify the following aspects of your disposi- tion process: • Technology used to wipe, verify and track assets. • Compliance with established procedures and proto- cols.
• Employee competence and training. • Do not, under any circumstances, think that internal reporting is enough to solidify your security strategy. Self-reporting is almost always fraught with problems. Have a trusted, accredited third-party provider per- form all security audits.
• Of course, this same standard should be applied to any vendors you work with. On top of the audits mentioned above, ITAD companies should be able to provide on-demand access to independent, third-party information about employee criminal records and any assets in their possession.
Conclusion Security-conscious members are taking control by establishing and verifying new procedures and controls or teaming with a high-quality ITAD vendor.
HMT HEALTH MANAGEMENT TECHNOLOGY September 2010 19