Ineffective HIPAA patient data destruction could increase the current annual cost of patient privacy breaches at around $5.6 billion.
In an attempt to protect patient privacy, hospitals have been focusing on external intrusion detection and hard drive encryption. In reality they have been overlooking far more insidious and growing problems: internal breaches and lack of secure data destruction process by their own staff and extended care partners as well as data left unknowingly on hard drives and
other storage devices when they are recycled. Implementation of regularly scheduled physical destruction of obsolete hardware is a relatively inexpensive and virtually foolproof method of keeping data secure.
UNDERSTANDING THE SCALE OF THE PROBLEM
Whether stolen or accidentally disclosed during the computer recycling and data destruction process, health care data represents a lucrative target. While the main cause of these breaches runs from external hacking to theft of laptops and phones, the second leading cause was due to unauthorized access and disclosure This disclosure could be taking place right under your nose when hard drives are taken off-site for erasing or shredding.. It is clear that this problem is widespread and only going to get worse placing a strong imperative on hospitals and clinics to rethink their approach to data security including the physical destruction of hard drives and other storage hardware.
RECOGNIZING THE RISKS
Failure to address the data destruction problem is not only costly but can cause damage to the hospital’s reputation and brand image. Ponemon Institute interviewed more than 850 senior-level executives who estimate the damage to a hospital’s brand to be as much as $330 million, depending on the size of the institution. In April 2014, the Office of Civil Rights levied a $2 million fine for an electronic data breach of patient information. Clearly, the risks are great. Regular, systematic physical destruction of susceptible electronics is a relatively easy solution of part of this problem.
REALISTIC ASSESSMENT OF PREPAREDNESS
Where does your organization lie on the continuum of preparedness? In a recent survey up to 74% of healthcare respondents believed their security systems were effective. The reality is that only 20% of hospitals with 200 or more beds had a fully implemented system to manage user identity and control data access. How does your hospital/clinic handle obsolete computer equipment? Think twice about where your patient EPI residing on computer hard drives goes when the IT equipment is replaced.
CLOSING THE SECURITY GAP
Hiring a Chief Information Security Officer represents the importance you place on data security. This person not only needs people skills but the ability to calculate a reasonable budget and use those funds to implement policies to protect critical hospital objectives. No matter how strong a hospital’s privacy and security measures are, it must continually verify that they are sound, uncompromising and applied consistently. Assigning ownership at the management level for assessing, controlling and reducing risks and establishing a group to implement risk management practices creates an internal audit team capable of providing assurance to the board about how effectively the hospital is managing privacy and potential data risk. Without this internal audit piece, the hospital runs the risk of its security and privacy practices becoming obsolete.
REALIZING THE BENEFITS OF SECURE DATA DESTRUCTION
Clearly, the risks of non-compliance with data destruction can be expensive to both your hospital’s bottom line as well as its image. Implementing a strategy that raises data destruction to an executive-level and establishes a working group across the organizational chain provides assurance to the board and to the public the importance placed on proper digital media destruction.
MONITORING OBSOLETE ELECTRONIC DATA STORAGE DEVICES
Certify that the disposal of computers and servers containing EPHI is as important as procuring new equipment and minimize the risk of unlawful access to patient data and organizational privacy by implementing scheduled physical destruction, such as hard drive and backup tape shredding of obsolete data storage devices.