How to avoid a health data spill when recycling IT
Safeguarding health information doesn’t end just because a product’s lifecycle ceases. And with estimates that health records carry a street value fifty times that of financial records, health entities still need to actually destroy the data – without stepping outside environmental guidelines.
Earlier this year, the U.S. General Services Administration announced a new policy that bans federal agencies from disposing of electronic waste in landfills or incinerators. Instead, the GSA policy requires those agencies to reuse electronics to the extent possible and to send end-of-life devices to certified electronics recyclers.
The U.S. Environmental Protection Agency estimates the federal government discards approximately 10,000 computers every week, making it the nation’s largest generator of electronic waste. A policy that directs federal agencies to reuse and recycle electronics, rather than bury, incinerate, or export them, has the potential to achieve tremendous environmental good, including recovering valuable, reusable materials. This reduces the need to extract and process raw resources and protects air, soil, and water.
More helpful facts to be aware of:
• The frequency of data breaches among organizations in the study increased 32 percent from the previous year and 96 percent of all health care providers report having experienced at least one data breach in the last two years.
• The average number of affected records per breach was 2,575; up from 1,769 records in 2010.
• The cost of each of those data breaches also increased by 10 percent to $2.2 million.
The top three causes of data breaches in health care organizations, according to the Ponemon Institute’s research, are familiar ones — lost or stolen media, third-party oversight, and human error — and ones that IT personnel already strive to eliminate. But in their efforts to comply with the GSA’s mandate to recycle obsolete devices, agencies may unwittingly introduce a fourth cause: lapsed security procedures. Protocols that protect equipment and the data residing on that equipment from intrusion, loss, and unauthorized access while it is in use may be neglected once equipment is identified as nonworking and marked for recycling. For example, such equipment may be moved to a storage facility where it is beyond an agency’s watchful eye and handled by multiple individuals before it is finally recycled. And yet, that equipment may still contain readily accessible data that could leave an agency vulnerable to a data breach threat.