In Parts 1 and 2, I
discussed the sheer variety and numbers of equipment involves in patient
care. Together with the various types of
ownership, hospital face a real risk of letting important patient data getting
into the hands of criminals or just malicious people. In the criminal's mind, Why risk a hack when you can scavenge? The potential
cost runs from embarrassment, angry customers to millions of dollars in credit monitoring cost just from one device.
Part 3 of 3:
Another particular
risk that James and I talked about did catch me a little off guard. I was not aware of how long an equipment owner
may be at risk at the hands of a leasing company that may have a less than
stellar data destruction program.
A leasing company
may not sell an asset at the end of a lease term. James stated, “Instead, it may choose to pay a
storage fee to hold on to the equipment.
Depending on the useful life this could be for years 5-7 years.” Meaning, a release of your patient and
sensitive information can boomerang out of the past and take a bite out of your
bottom line years after you think it’s all said and done.
The bank and the
customer not only have a mutual risk associated with sensitive data but with
software applications loaded onto hand drives. Shredding a hard drive can result in the
finance company charging hardware replacement costs, application replacement
costs with maintenance costs on top of everything. It may be a good idea to
access that cost before those tasks are performed.
LifeSpan engages healthcare customers through
a mix of “training, best practices, and onsite or offsite data destruction”. James further commented, “Whether or not they
use our services or if they do it in-house or they outsource it to someone
else, they need to be thinking about these things. As an educational partner, we can help them guard
the bases that way.”
In response, I
asked, “How do you educate your customers?”
He answered, “Articles,
webinars and on-site training…. Data destruction to me is all about redundancy.
If you have an internal process you
should also have an external review process as well. Both should be audited.”
LifeSpan uses:
- NAID AAA
Certification – The certification agency subjects LifeSpan to unannounced
audits by the certifying agency.
- U.S. Department
of Defense data destruction standards
--- DoD 5220.22-M
--- NIST 800-88
Education,
training, redundancy, backed up by multiple certifications and unannounced
inspections by certifying agencies, LifeSpan seeks to lead the way in helping
healthcare agencies prevent unintended releases of data and the costs associated
with it.
Tell them Al sent
you.