HIPAA and Hospitals: Five Reasons Medical Data Storage is Often Not Compliant

ArmanSadeghi-200By Arman Sadeghi, Founder, All Green Electronics Recycling

With so much of the data controlled by doctors and hospitals on electronic devices, including mobile devices, desktop computers, servers, and in the cloud, the security of that data is quickly becoming the most important aspect of HIPAA (not HIPPA) compliance.

Many medical providers and some of the largest hospital chains in the country have been found to be against HIPAA law and out of compliance – mainly as a result of mishandling digital data.

A survey of 30 hospitals across California showed that while 90% had a full understanding of the HIPAA privacy rule as it relates to paper documents, storage of digital content and even access, only 15% handled IT equipment end of life procedures properly in order to stay HIPAA compliant.

In this survey of small, medium, and large hospitals, it was revealed that a majority of hospital administrators and IT staff simply did not recognize the threats involved in the handling of end of life IT assets such as hard drives, tablets, mobile devices, and even photocopiers with hard drives and permanent memory built-in.

Being oblivious to these potential areas of HIPAA violation leaves the medical industry open to common code compliance failures for the safe handling of client data.

Here’s the top five ways this can occur.

1. Data Containing Devices Are Often Stored in a Non-Secure Location
It was found in a recent study that over 40% of hospitals stored end of life computers, laptops, tablets, and mobile devices with potentially confidential data in rooms and storage centers that did not properly meet security standards.

This poses a major data security threat and opens the door for potential HIPAA violations from data breaches pertaining to confidential patient records.

2: Over 40% of Hospital Staff Don’t Realize the Data-Storing Capability of Equipment
This survey found that over 40% of staff members surveyed did not realize that devices such as large copy machines and many printers contain hard drives that permanently store the content that is either scanned, copied, or printed.

In many instances, copy machines and printers with storage of confidential data were recycled through electronics recyclers or donated locally without any certification required for data eradication.

3: Data-Baring Hard Drives are Stored for Too Long
It is a well-established fact that the longer a data containing device is maintained with data – even in the most secure storage locations – the higher the likelihood of a data breach.

As a result of staff changes, human error, and mislabeling of equipment, it has been found that the most common reason for data breaches in hospitals is through hard drives that are stored for future destruction that are somehow mistakenly pushed through without proper data destruction protocols.

4: The Use of Built-In or Free Software for Wiping Hard Drives
Studies have shown that 50% of hospital IT staff mistakenly think that simply overwriting data on a hard drive, formatting the drive, or using readily available free software online is enough to completely eradicate data.

However, the facts are very clear that data from a hard drive that has been overwritten or formatted is easily recoverable using very simple software techniques and is not HIPAA compliant.

In addition, hard drives wiped using some of the most commonly available free software solutions actually have slightly more sophisticated tactics that could result in substantial amounts of data recovery.

5: Hard Drives With Data Are Allowed to be Taken Offsite for Wiping or Destruction
A survey found that over 40% of hospitals allowed data containing devices to be removed from their premises in order to be wiped or destroyed off-site.

Data destruction best practices, however, state that hard drives and other data containing devices are far less likely to expose a hospital to data breaches if they are destroyed, shredded, or wiped with a certification onsite.

Onsite hard drive shredding provided by many certified electronics recycling vendors and IT asset disposition vendors is the ideal solution for ensuring that all data containing devices are destroyed with hospital staff witnessing the entire process. This simple best practice can massively reduce the likelihood of a data breach.

Become HIPAA Compliant With These Simple Steps
By following some simple data security best practices, hospitals, medical clinics, and doctors alike can ensure full HIPAA compliance related to data security on digital devices.

How?

Simply make a list of all of the types of data containing devices within your organization, then ensure that these assets are processed in an expedited manner anytime they reach their end of life.

Next, ensure that their hard drives are not stored for longer than 30 days under any circumstance.

Finally, find a certified data destruction company that can shred these devices on-site or provide you with onsite and certified data wiping.

Find a certified data destruction vendor near you.

This article was originally published on All Green Electronics Recycling and is republished here with permission.