The Health Insurance and Portability Accountability Act dictates most health organizations' IT strategy—but is your department taking all the necessary precautions?
Don't take the easy way out
HIPAA protocol is incredibly stringent when it comes to the protection of patient health care records. While it may be easiest to drag and drop a folder full of these files into the virtual trash bin and call it a day, this is only setting the organization up for a data breach.
"Lack of following up on data disposal can lead to fines."
Take NHS Surrey, for example. According to The Guardian, it was fined £200,000 for losing 3,000 patient records. In bucking the trend, ransomware or another malicious attack wasn't involved. Simple disregard for the safe and secure destruction of end-of-life media was all that was necessary. The source reported the organization failed to follow up with the company tasked to recycle the hard disk drives and computers. This business simply destroyed the devices, thinking that was enough.
Sure enough, the data ended up on the desktop of an average consumer. Had it gone to someone who wasn't so morally good, NHS Surrey would have suffered a much worse data breach.
The same instance happened in the U.S. as well, with the U.S. Department of Health Services doling out a fine of roughly $1.2 million to Affinity Health Plan. The organization broke HIPAA compliance law when it failed to erase the data left on photocopiers that were returned to the company it leased them from. This resulted in nearly 350,000 records being breached. Devices like fax machines, printers and copiers are often forgotten when it comes to HIPAA, but remain just as important to sanitize data from.
All in all, these instances prove one point—degaussing is the only way to securely erase data left on a hard drive.
Compliance is necessary
Nothing good comes from getting rid of end-of-life media non-securely. According to Health Care IT News, there have been 804 breaches totaling 29.2 million patient health care records since 2009—many of these could be prevented by something so simple as degaussing a desktop.
Degaussing allows health care organizations to demagnetize the media storage device, which renders the data illegible. Common software wipes don't necessarily achieve this level of erasure, as they move the information around rather than completely rid it from the device. This implicit trust in degaussing is why it was used by the Guardian to wipe the hard disk drives given to the news organization from whistleblower Edward Snowden, and why it's approved by the National Security Agency.
While it may seem like an extra step in a process already mired by lengthy procedures, degaussing is actually the first step. To absolutely ensure the protection of deleted data, it's advised that employees of health care organizations first degauss the data left on the hard disk drives, then physically destroy them.
Part of HIPAA compliance is having a plan ready for the secure disposal of these devices. With a degausser in one hand and a hammer in the other, you can rest easy knowing the organization is protected from fines, and patients are guarded against information breaches.