Part 3 of 3, Interoperability and Protecting Sensitive Data

In Parts 1 and 2, I discussed the sheer variety and numbers of equipment involves in patient care.  Together with the various types of ownership, hospital face a real risk of letting important patient data getting into the hands of criminals or just malicious people.  In the criminal's mind, Why risk a hack when you can scavenge?  The potential cost runs from embarrassment, angry customers to millions of dollars in credit monitoring cost just from one device. 

Part 3 of 3:

Another particular risk that James and I talked about did catch me a little off guard.  I was not aware of how long an equipment owner may be at risk at the hands of a leasing company that may have a less than stellar data destruction program.

A leasing company may not sell an asset at the end of a lease term.  James stated, “Instead, it may choose to pay a storage fee to hold on to the equipment.  Depending on the useful life this could be for years 5-7 years.”  Meaning, a release of your patient and sensitive information can boomerang out of the past and take a bite out of your bottom line years after you think it’s all said and done.

The bank and the customer not only have a mutual risk associated with sensitive data but with software applications loaded onto hand drives.  Shredding a hard drive can result in the finance company charging hardware replacement costs, application replacement costs with maintenance costs on top of everything. It may be a good idea to access that cost before those tasks are performed.

 LifeSpan engages healthcare customers through a mix of “training, best practices, and onsite or offsite data destruction”.  James further commented, “Whether or not they use our services or if they do it in-house or they outsource it to someone else, they need to be thinking about these things.  As an educational partner, we can help them guard the bases that way.”

In response, I asked, “How do you educate your customers?” 

He answered, “Articles, webinars and on-site training…. Data destruction to me is all about redundancy.  If you have an internal process you should also have an external review process as well.  Both should be audited.”

LifeSpan uses:

- NAID AAA Certification – The certification agency subjects LifeSpan to unannounced audits by the certifying agency.

- U.S. Department of Defense data destruction standards

--- DoD 5220.22-M

--- NIST 800-88

Education, training, redundancy, backed up by multiple certifications and unannounced inspections by certifying agencies, LifeSpan seeks to lead the way in helping healthcare agencies prevent unintended releases of data and the costs associated with it.

Any questions about the article?  Leave a post or send an email to alfordhardy@gmail.com

Tell them Al sent you.