Improper Data Disposal Can Open You Up to HIPAA Violations. Stay in Compliance With These Spring Cleaning Tips.
This time of year always marks the start of spring cleaning in my household. I love spring cleaning for many reasons. Not only does it give me the chance to make new space in the garage, get the backyard ready for summer barbecues, and rediscover all the books and knickknacks that had been hiding beneath my couch cushions all year—it also gives a security guru like myself the opportunity to talk to healthcare organizations’ billing services about the importance of proper cleaning and disposing of data.
If spring cleaning is an annual tradition for you, too, you probably already know how important it is to properly dispose of any used and unwanted items. You probably also know that proper disposal procedures are more obvious for some items than others. For example, it’s easy to get rid of recyclables. You organize recyclable materials into the bins given to you by your city or town, set them on your curb on trash night, and let the sanitation department take care of the rest. However, the disposal of something like motor oil may be less obvious. You know you shouldn’t set motor oil out on the curb, but rather contact the city for how to safely dispose of it.
We are motivated to properly dispose of certain items because we want to do our part to protect the environment and don’t want to risk doing harm to ourselves and others. What we don’t always realize is that similar motivations should influence how we dispose of data.
Think about all the data that might be stored on some of your old electronic devices. For example, your smart phone—a device that many of us use to store almost all of our personal information—may still have personal data left on its internal memory even after you remove the SIM and SD cards. As technology advances and more of our devices are becoming “smart,” it is critical to properly dispose of all electronic devices, from your old computer (where you paid all of your bills) to your SmartTV (where you accessed your Netflix, Hulu, and Amazon accounts).
To investigate how often data remains on electronic devices, the New York-based computer forensics firm Kessler International purchased 100 hard drives on eBay. After analyzing the drives, they found that 40 of them contained personal, private, or sensitive information. Some data was retrieved with special forensics software, but other drives contained sensitive data that was completely visible, having never been overwritten or erased. Of the data retrieved, 36 percent was personal and confidential information, 21 percent were emails, 13 percent were photos, and 11 percent were corporate documents.
Numbers like that are extremely concerning to me, but if you’re not a very private person, you might think there is little risk in someone finding some of your old emails and photos. The reality is your information is extremely valuable on the black market: Social Security numbers are worth $250-400, US credit cards with track data are worth about $12 each, and bank account information can fetch upwards of $1,000. There is a market for your data, which is why it is critical to properly dispose of electronic devices and documents to protect your personal and confidential information from being exploited.
I don’t want you to be intimidated by big numbers and dollar signs. It is actually very easy for anyone, including billing services, to properly destroy data. Just follow a few simple rules:
- To dispose of magnetic devices (e.g., old floppy disks and standard hard drives), shred or degauss them.
- To dispose of flash-memory-based devices (e.g., USB thumb drives and solid-state drives), shred them.
- To dispose of paper documents, shred them.
For more specific instructions for destroying data, check out the Guidelines for Media Sanitization from the National Institute of Standards and Technology (NIST).
Advertisement. Click on image to visit advertiser's website. Story continues below.
It is also crucial that healthcare organizations consider where they dispose of data. Leaving anything that could contain confidential information in an environment where it is vulnerable to exposure could put you at risk for a HIPAA violation and incur serious fines and penalties. In April 2015, Cornell Prescription Pharmacy was hit with a $125,000 fine for disposing of documents containing protected health information (PHI) in a dumpster that was easily accessible to the public. In June 2009, the US Department of Health and Human Services Office for Civil Rights served Parkview Health System with an $800,000 fine for leaving 71 cardboard boxes of patient medical records on the driveway of a physician’s home, 20 feet from the public road, and not far from a heavily-trafficked shopping center. These fines could have easily been avoided if the organizations followed proper procedures for destroying and disposing of data. When in doubt, consult NIST’s Guidelines for Media Sanitization.
Keep in mind that the less data you keep around your home, office, or data center, the less information there is to take. In my Security Corner on the InstaMed blog, I have discussed advanced payment technologies that healthcare organizations like billing services can use to securely store patient data electronically without storing data on USBs or keeping paper copies of personal information around the office. By leveraging such technologies, billing services can protect sensitive information for their provider clients and avoid a data breach, which could result in irreparable damage to your business’s reputation.
So before you kick off your annual spring cleaning, carefully consider how and where you dispose of old electronics and documents. Just as you read the labels on your household cleaning supplies before you use them, make sure you read and understand the guidelines for destroying and disposing of data, then use the proper tools (i.e., shredders and degaussers) to get the job done. It’s a simple precautionary step that will protect your data.
Happy, safe cleaning!
Noah Dermer, JD, is InstaMed’s security officer. Prior to joining InstaMed, Dermer was Epic’s chief privacy and security officer. Dermer also managed Epic’s security research and development team, which develops software that helps hospital organizations ensure the confidentiality, availability, and integrity of healthcare data. Prior to his work on the security team, Dermer worked at Epic on clinical applications where he designed, coded, and maintained computerized physician order entry software. He has also been a network administrator and worked for a large financial technology services company and a technology consulting firm.