Old IT, new tricks
We hear a lot in the medical field about end-of-life care. Just as patients need wise, compassionate and specifically targeted treatments as they near the end of their days, so too does medical technology that's ceased to be operational.
A lot of attention is being paid – and a lot of heartburn is being suffered – as healthcare providers try to maintain top-notch privacy and security processes for their medical devices and IT systems in the wake of new HIPAA rules.
Device manufactures have been encouraged by the FDA to design and incorporate more robust security features in the early stages of development. (See: "Communication breakdown?")
But what about the late stages? What about when a piece of technology is replaced, becomes obsolete or otherwise outlives its usefulness?
It can't just be left on the curb for trash pick-up, of course. Most people are aware that electronic waste requires special handling. Still, healthcare needs to do a better job of it.
"Less than 10 percent of discarded computers and electronics are currently recycled, with the remainder stockpiled or disposed of in landfills, incinerators or exported to developing countries for disassembly," according to a report from the Premier healthcare alliance.
Protecting the environment is one huge responsibility, naturally. Laws such as the Resource Conservation and Recovery Act and the Comprehensive Environmental Response Compensation and Liability Act - the so-called "Superfund law" - dictate proper disposal of electronic waste and hold organizations legally culpable if it's done wrong.
Still, it's doubtful many hospitals would opt to set fire their old computers in the local swamp. The more likely risk for providers has to do with protecting patient privacy.
"The healthcare industry is responsible for the consumption and disposal of millions of electronic devices every year," according to Premier. "Increased use and short life spans have made discarded computers, healthcare electronic equipment, and other consumer electronics the fastest growing portion of our waste stream."
Most of those millions of devices contain protected health information. And HIPAA Privacy and Security Rules have very specific requirements for how covered entities most dispose of them.
"The HIPAA Privacy Rule requires that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information," according to the Department of Health and Human Services Office of Civil Rights. That means, "reasonable safeguards to limit incidental, and avoid prohibited, uses and disclosures of PHI, including in connection with the disposal of such information."
Additionally, the HIPAA Security Rule requires covered entities to address "the final disposition of electronic PHI and/or the hardware or electronic media on which it is stored, as well as to implement procedures for removal of electronic PHI from electronic media before the media are made available for re-use."
For electronic media, OCR calls for "clearing (using software or hardware products to overwrite media with non-sensitive data), purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains), or destroying the media (disintegration, pulverization, melting, incinerating, or shredding)."
That's just what Roseville, Calif.-based Sims Recycling Solutions enjoys doing. Sims is one of many companies specializing in clearing, purging and destroying data onsite for an increasing number of healthcare clients.
Still, not enough providers are paying attention to the risks of improper disposal, says Sims vice president Sean Magann.
"The biggest risk is not being cognizant that there's so much data in so many different devices," says Magann. "People just think of them as items to be discarded."
As hospitals put a laser focus on digitizing and going paperless, it's worth remembering that even old-guard technology like copiers and fax machines are rife with PHI.
"There is data in everything," says Magann. "Copiers that doctor's offices use to copy and scan documents - there's hard drives in them. Even small electronics that they have, from glucose meters to infusion pumps. They'll have patient information in some of these devices. People just think of them as items to be discarded, not realizing that there's flash memory in printers, flash memory in copiers, etc."
From PCs to smartphones, old technology is a goldmine in all the wrong ways for the bad guys, he says.
Once upon a time, there was "a whole underground economy if you will of people trying to get precious metals" from old technology, "sending hard drives and computers over to developing countries to find cheap ways to extract the gold, the silver, the copper," says Magann.
But lately that economy has changed.
"What's happened over the past five or six years is that bad guys got really smart," he says. "They realized there's more value in the information than in the actual commodities. It's a numbers game. You buy 100 hard drives, 99 of them will be erased and done properly. But the one that you do get contains a treasure trove of information: Social Security numbers, patient data, everything a bad guy needs."
Even with such a focus on security in the past few years, even with the HIPAA Omnibus Rule promising real pain for PHI breaches, many hospitals are still behind the eight ball when it comes to old equipment.
"We come across stuff that we know for a fact has to be erased, but it's still full of data," says Magann. "We see a lot of stuff that we know hospitals would be sick about. As someone who works in the industry, and as someone who goes to the doctor once in a while, it makes me worried to think where all that information ends up."