Interoperability and Protecting Sensitive Data, Part 2 of 3

In Interoperability and Protecting Sensitive Data, February 10, 2013, I discussed how interoperability can increase the risk of sensitive data getting beyond your organization. More categories of devices will have patient data.  The asset disposition phase will become more risky than it is already.  Specifically in:

- Returning leased systems

- Selling to a remarket company

- Donations

- Disposing as junk

The quantities and sheer variety of devices containing data aside from stand-alone laptop, desktops, servers, and mobile phones, makes keeping sensitive data from getting beyond a healthcare organization a real problem.

Hospitals have put policies in place to resolve the problem but leasing companies and remarketers still receive equipment containing sensitive data coming from healthcare organizations.  Leasing companies and remarketers have found it necessary to mitigate that risk with their own procedures to:

- Add redundancy for their customers

- Protect themselves from lawsuits

- Prevent sensitive data from getting beyond them

Corporations like LifeSpan® often provide these services.  Increasingly, they are providing services more directly to hospitals and hospital systems.  I spoke with James Griffin, LifeSpan’s Managing Director of Southeast Sales.  He stated that “LifeSpan provides hardware recycling and disposal, data destruction, hardware resale, and a full range of IT asset disposition services to corporations, OEMs, hospitals, leasing companies, banks, and other businesses.”  This includes data destruction for laptops, desktops, servers, medical equipment, and imaging systems.

Visit Website

  

I asked James, “What are the potential costs to hospitals”

He replied, “It costs about $100 - $200 dollars per customer, per incident for credit monitoring.”

Let’s say that a data release comes from Ambulatory Surgeries only and restrict that to a single year of patients.  Taking about 10,000 patients that runs $1,000,000, minimally.  Those 10,000 records, depending on the format, will fit on a USB drive.  The comparative space on a hard drive in minuscule. 

As I considered James comments on the costs, I thought about the additional threats. Many of today’s misuses of sensitive information are just malicious.  There is no financial gain, just cyber street credit of an infamously handled avatar claiming to be unstoppable - again, all costing the owner expended resources.

  

James went on to tell me how data can get into the hands of a criminal intent on a cash return or a malicious person:

-A reseller is unable to sell equipment for an acceptable amount of cash. 

-So, it is sold as waste and put in a shipping container with other waste and sold by the pound.  Eventually, the container is put on a ship.

-The ship sails into a port where dumping laws are less rigid than those in the United States or European Union.

-The cargo finds its way to a dump

-Individuals comb through these trash heaps looking for precious metals or components to sell.  This brings up another LifeSpan offering, e-waste compliance, which I will cover in another blog.

-Legitimate parties restore the components, wipe the data, and resell the hardware

-Criminal elements restore the components and the data then resell both.

Read Part 3 

Read Part 1