Medical practice risk management: New computers

November 27, 2018

Medical practices replacing computers and related electronic equipment at year end must carefully manage their disposal to avoid significant liability.

One common recurring seasonal business risk for doctor’s offices is created when businesses take advantage of year end deals and surplus taxable income to replace computers and other business equipment. Making sure your practice has appropriate amounts of cyber liability insurance as well as sound and enforced policies on how your old equipment is stored and disposed of is vital practice risk management. 

Do you have a device security plan?

  • Secure all old equipment. Many practices put outdated equipment into a storage area that no one pays attention to or takes inventory on until something goes missing or a breach occurs.

  • Have a plan and make a specific individual responsible for implementing it. Create a written chain of custody and educate the person in charge about the risks and gravity of the task at hand.

  • Keep records of all devices, including the ones being destroyed or donated (make a copy for your CPA including a description, serial numbers, estimated depreciated value, and replacement cost), and where they went or how they were disposed of.

  • Sign out all users and physically disconnect devices from your network.  Old machines are often not maintained or updated and may actually create a security risk while still in your office.

You cannot simply donate, gift, or throw away most computer equipment

Taking a tax deduction for donating safe electronic equipment after determining it does not contain confidential information is a relatively standard business practice. Items like mice, keyboards, power supplies, and monitors are common safe examples, but computers themselves and any other devices that transfer, copy, or store data create a serious liability for physicians. 

Whether your devices are going to be destroyed, donated, or recycled, all data on the computer must be wiped as a minimal first step. Security software available at most office stores can help and may already be present in your operating system or anti-virus programs. Remember that “deleted” data on personal computers is not actually “erased” unless the hard drive itself is virtually destroyed. 

Think beyond “computers”

While computers themselves pose the most obvious threat to legally onerous financial and HIPAA-protected information, they are not your only risk. Other devices, including scanners, printers, and fax machines, can store thousands of images and pages of data. Your practice must securely dispose of a variety of computer and related electronic devices including the following, admittedly incomplete list:

  • Desktop and laptop computers, tablets, and smartphones that have been used to access or relay protected data 

  • Networked printers, faxes, scanners, etc.

  • Computer servers and arrays

  • Devices that combine hardware and software for a specific medical or administrative function 

  • Networking equipment

  • Electronic data storage devices and backups

Other layers of cybersecurity: Professional IT help and all the right insurance 

Organized, international crime syndicates now commonly instigate hacking, spoofing, phishing, and other online fraud and have pierced the security of even the biggest retailers and healthcare systems in the country. 

Given the massive scope of the liability involved, top-notch professional IT support that includes security software and online security training for your staff should be considered mandatory for business asset protection and risk management. Some IT providers can also help securely dispose of your equipment. 

Finally, consider if your business insurance coverage adequately protects you in case of accidents, mistakes, or breaches. Your practice should have seven figures in data breach/cyber liability insurance, not just a $50K or $100K rider that shares limits with your malpractice policy. Likewise, you should also have seven figures in stand-alone “directors and officers” coverage to protect yourself and your executives from executive liability that names you personally for business-related claims. 

Attorney Ike Devji has practiced in the areas of asset protection, risk management, and wealth preservation law exclusively for the last 15 years. He helps protect a national client base with over $5 billion in personal assets that includes several thousand physicians and is a contributing author to multiple books for physicians and a frequent medical conference speaker and CME presenter.