2006-12-15 00:00:00

Are you protecting Patient healthcare data on discarded equipment?

Given the increase in computer usage to track patient data and that we’re all now going through new cycles of computer purchases (especially with Vista coming soon) discarding older equipment is something we do often.

Discarded equipment may include entire computers or just hard disks, thumb drives, and other storage devices. One thing I’ve been discussing with my clients is their strategy for protecting information on discarded devices and it makes sense to review your own policies. Some questions to ask your team:

  • Does your organization have a policy for destruction of sensitive data within its own environment?
  • Does your organization’s policy extend to your partners and vendors or do they have their own policies?
  • What tools are in use to destroy sensitive data and do they meet the requirements stipulated in your policies?
  • If you do have policies, how are they enforced and documented so that if legal action is required you are prepared?
  • If you’re not disposing of older equipment, where is it kept? Is it inventoried and tracked? How would you know if older equipment with sensitive data is stolen?
  • How to start protecting yourself:

    • Reduce the amount of information available on storage devices by using thin-client software that doesn’t maintain state anywhere except on a server.
    • Create an awareness campaign to make sure patient-sensitive information is stored only on servers and shared file systems instead of on personal PC’s and thumb drives.
    • Create risk assessments, policies, and procedures to ensure you have a plan for addressing discarded devices. Be sure to include third parties (especially oursourcers) and ask them about their data retention policies.
    • Use comprehensive data cleansing tools to erase data, not just the Windows or operating system “delete” commands. None of those basic commands will actually delete data, they only “hide” it.

    If any of you have policy or procedure documents in place that you can share, leave a comment here or volunteer to do a guest post where you can discuss your successes/challenges. It would be useful for us all.

      Filed under: — @ 2006-12-15 00:00:00