U.S. Air Force photo
Written by Insecurity of Everything: A Cybersecurity & Business Column, Kate Fazzini and John Shegerian
If you are a health care-related business or work with health care related records and information, how careful are you at following HIPAA regulations? Are you making any mistakes, even if those mistakes are inadvertent? A health care data breach that took place last year in Maine serves as an important reminder about the importance of choosing the right methods and ITAD providers for data destruction and e-recycling.
The HIPAA Privacy Rule lays clear foundations on what a health care office or company must do to keep protected health information (PHI) private. Only authorized users are allowed to access electronic information systems. When someone is away from their desk, they must logout of all applications that access patient information. The HIPAA Security Rule goes a step further and addresses the importance of having policies and procedures in place when it comes to end-of-life electronics used in medical settings.
When a firm fails to dispose of computers and other electronics in accordance with the law, the risk of data theft is all too real. Volunteers and employees have to be appropriately trained and fully understand how to dispose of any medical electronics. This includes wiping hard drives and destroying the electronics after data is destroyed. Data destruction sanitizes the information on a hard drive or storage device before the electronic item is shredded for recycling or restored to factory settings for resale.
The problem is that even with protections and rules in place, breaches still occur. Some of them are directly linked to poor e-recycling methods that fail to follow HIPAA rules. You may be making mistakes without realizing it.
Hard drives aren’t properly wiped
On Sept. 9, 2021, HealthReach Community Health Centers notified 101,395 Maine residents of a massive potential health care breach at the community healthcare organization. The Waterville, Maine, practice learned of a possible violation from hard drives that were not disposed of properly.
Instead of being wiped and shredded, several hard drives were improperly disposed of by a third-party storage facility. Information on those hard drives included patient names, SSNs, dates of birth, financial account numbers, lab/test results, insurance details, passwords, security codes and PINs.
In addition to the Maine residents, another 15,503 people from other states were also affected. Every patient of HealthReach is being asked to monitor their accounts and credit report. HealthReach had not been notified that information was being fraudulently used, but the risk is there. Affected consumers were offered a year of credit monitoring, dark web monitoring and identity theft protection services. Plus, patients receive a $1 million reimbursement insurance policy through IDX/Transunion.
HealthReach is not the only health care organization to face a breach of this nature. It’s estimated that 1 out of 4 data breaches is caused by negligence. The HIPAA Journal reported that improper disposal of electronics incidents were reported 16 times in 2020, with close to 600,000 records potentially exposed in these incidents.
How do you prevent negligence-related data breaches?
It’s in everyone’s best interest to prevent breaches related to negligence. If you don’t take measures to follow HIPAA rules, you face fines. Companies paid more than $13.5 million in fines during 2020.
When you’re disposing of unneeded or broken electronics and medical equipment, you have to be very careful. The “Final Security Rule” requires data destruction on any electronic PHI on a device being recycled, upgraded or resold. Electronics that healthcare professionals must recycle aren’t just computers and tablets. Data destruction is also necessary on copiers, imaging equipment, printers, and anything else that stores patient information.
Kate Fazzini is CEO of Flore Albo LLC, an adjunct professor of cybersecurity at Georgetown University, author of Kingdom of Lies: Unnerving Adventures in the World of Cybercrime and has served as a cybersecurity reporter for The Wall Street Journal and CNBC.
John Shegerian is co-founder and Chairman/CEO of ERI, the nation’s leading fully integrated IT and electronics asset disposition provider and cybersecurity-focused hardware destruction company. Business Journal readers can visit eridirect.com/insecurity-of-everything-book/ to receive a free copy of John’s new book, The Insecurity of Everything.