In my last column for 2015, we take a look at one final and vital area of medical practice risk management: secure disposal of computer and electronic equipme nt. As many doctor’s offices and their employees update both business and personal electronic devices, having a compliance plan and the right professional resources to securely dispose of or replace a wide a variety of electronic devices is important. Not only because it controls your very significant liability for data breaches involving HIPAA and patient financial and identifying information, but the security of your practice’s own data, EHR system, and finances.
We’ve previously covered various aspects of data breach liability, including the need for seven figures in specialty “data breach” or “cyber liability” insurance. Merely thinking that you have it or not knowing the exact terms and amounts is a serious exposure in of itself that every practice manager should have a handle on. Many doctors I personally work with are shocked to learn that that they have somewhere between $0 and $50K in coverage when I insist they make a specific inquiry with their carrier or agent. The scope of the risk is very significant and the news routinely features stories about businesses paying millions in fines for data breaches and suffering significant reputational damage.
Part of the liability determination from a legal perspective includes an examination of the steps the practice took to prevent and control any such exposures. Thus, having an enforced plan is itself proactive defensive planning. Managing risk is always less costly and dangerous than dealing with the crisis that comes from ignoring it. In some cases, your IT firm may have resources or offer secure disposal or recycling of your equipment for you and that’s a great way to handle it after you’ve done your due diligence on them and how they do it. As we’ve previously discussed, your choice of vendors is part of the liability chain, so make sure they are insured and qualified to do the job, merely paying someone doesn’t absolve you of all liability.
A Bare Bones Security Plan Outline:
1. Secure and inventory all old equipment that’s being replaced. Keep a list of the devices you are destroying (i.e. Dell laptop, serial number EDV79234H46722) or recycling (make a copy for the CPA including depreciated value and replacement cost) and where they went or how they were disposed.
2. Don’t just pay attention to “computers,” there are a wide variety of items that can contain literally thousands of pages of protected healthcare and, financial and identifying data including:
• Networked printers, faxes, scanners, etc.
• Computer servers and arrays
• Devices that combines hardware and software for a specific function, medical or administrative
• Networking equipment
• Electronic data storage devices and backups including USB drives
• Desktop and laptop computers, tablets and smartphones that have been used to access or relay protected data and going forward, probably any connected wearable electronics as well (watch smartphones in particular, they tend to get gifted, traded in or handed down a little to cavalierly and often have access to all the same information as your computers ).
3. Have a policy everyone is aware of and ensures a specific person is responsible and explicitly aware of why this is important and why the devices can’t be thrown or given away.
4. As devices are replaced, make sure they are signed off and if possible blocked from (access revoked, etc.) from all your networks including email accounts, EHR, etc. including the Wi-Fi network, and that any stored passwords and users are removed.
5. Keep all equipment and devices secured until they are ready to be recycled or destroyed and maintain records of where they go.
Finally, please remember that while the “erasing and deleting” measures you take are a great first start, including the use of both internal controls in the equipment and aftermarket software specifically sold for this purpose, most experts don’t think that donating such equipment is a good idea, at least not until it’s been professionally “sterilized” of any protected data. Much of the information you think you have deleted is actually stored in the computer and can be retrieved easily by those with malicious intent. I look forward to sharing more with you in the new year, until then, Merry Christmas and Happy Holidays!