This time of year always marks the start of spring cleaning in my household. I love spring cleaning for many reasons. Not only does it give me the chance to make new space in the garage, get the backyard ready for summer barbecues and rediscover all the books and knickknacks that had been hiding beneath my couch cushions all year — it gives a security guru like myself the opportunity to talk to healthcare organizations about the importance of proper cleaning and disposal of data.
If, like me, spring cleaning is an annual tradition for you, you probably already know how important it is to properly dispose of any used and unwanted items. You probably also know that proper disposal procedures are more obvious for some items than others. For example, it’s easy to get rid of recyclables. You organize recyclable materials into the proper bins given to you by your city or town, set them on your curb on trash night and let the sanitation department take care of the rest. However, proper disposal of something like motor oil might be less obvious. You know you shouldn’t set motor oil out on the curb, but rather contact the city for how to safely dispose of it.
We are motivated to properly dispose of certain items because we want to do our part to protect our environment and don’t want to risk doing harm to ourselves and others. What we don’t always realize is that similar motivations should influence how we dispose of data.
Think about all the data that might be stored on some of your old electronic devices. For example, your smart phone — a device which many of us use to store almost all of our personal information, including email, contacts, and bank account details — may still have personal data left on its internal memory even after you remove the SIM and SD cards. As technology advances and more of our devices are becoming “smart,” it is critical to properly dispose of all electronic devices, from your old computer (where you paid all of your bills) to your SmartTV (where you accessed your Netflix, Hulu and Amazon accounts).
To investigate how often data remains on electronic devices, the New York-based computer forensics firm Kessler International purchased 100 hard drives on eBay. After analyzing the drives, they found that 40 of the 100 drives contained personal, private or sensitive information. Some data was retrieved with special forensics software, but other drives contained sensitive data that was completely visible, having never been overwritten or erased. Of the data retrieved, 36% was personal and confidential information, 21% were emails, 13% were photos, and 11% were corporate documents.
Numbers like that are extremely concerning to me, but if you’re not a very private person, you might think there is little risk in someone finding some of your old emails and photos. The reality is your information is extremely valuable on the black market: Social Security numbers are worth $250-400, U.S. credit cards with track data are worth about $12 each and bank account information can fetch upwards of $1,000. There is a market for your data, which is why it is critical to properly dispose of electronic devices and documents to protect your personal and confidential information from being exploited.
I don’t want you to be intimidated by big numbers and dollar signs. It is actually very easy for anyone, including healthcare organizations, to properly destroy data. Just follow a few simple rules:
- To dispose of magnetic devices (e.g., old floppy disks and standard hard drives), shred it or degauss it.
- To dispose of flash-memory based devices (e.g., USB thumb drives and solid-state drives), shred it.
- To dispose of paper documents, shred it.
For more specific instructions for destroying data, check out the Guidelines for Media Sanitization from the National Institute of Standards and Technology (NIST).
It is also crucial that healthcare organizations consider where they dispose of data. Leaving anything that could contain confidential information in an environment where it is vulnerable to exposure could put you at risk of violating HIPAA and incurring serious fines and penalties. In April 2015, Cornell Prescription Pharmacy was hit with a $125,000 fine for disposing of documents containing protected health information (PHI) in a dumpster that was easily accessible to the public. In June 2009, the U.S. Department of Health and Human Services Office for Civil Rights served Parkview Health System with an $800,000 fine for leaving 71 cardboard boxes of patient medical records on the driveway of a physician’s home, 20 feet from the public road and not far from a heavily-trafficked shopping center. These fines could have easily been avoided if the organizations followed proper procedures for destroying and disposing of data. When in doubt, consult NIST’s Guidelines for Media Sanitization.
Keep in mind that the less data you keep around your home, office or data center, the less information there is to take. Last month, we talked about the payment technologies provider organizations can use to securely store patient data electronically without storing data on USBs or keeping paper copies of personal information around the office. By leveraging such technologies, healthcare organizations can protect sensitive information and avoid penalties and fines.
So before you kick off your annual spring cleaning, carefully consider how and where you dispose of old electronics and documents. Just as you read the labels on your household cleaning supplies before you use them, make sure you read and understand the guidelines for destroying and disposing of data, then use the proper tools (i.e., shredders and degaussers) to get the job done. It’s a simple precautionary step that will protect your data. Happy, safe cleaning!