Why you need to secure your disposition now

How many groups are watching the clouds and the chop of the sea, watching their old assets as they usher thousands, if not millions of sensitive documents out the back door?

The simple answer is: "Not nearly enough." According to the Open Security Foundation:

• Of the 149 security breaches reported in Q1 of 2010, 21% were from healthcare-related businesses.

• 85% of incidents are accidental or originate from outside the organization.

If these numbers seem startling, there is a good reason. The news media does not cover most breaches, and companies, afraid of getting fired or sued, seldom make reports.

Everyone is working hard, but the truth is that people are losing data because of bad processes. We’re talking about experienced ship captains, people who know what’s going on, but simply don’t understand how to get on course. Sensitive information is exposed because captains of industry are so focused on improvements and IT security on-network that they fail to check off-network. In other words, they fail to check what they’re throwing away.

Take a laptop computer, which can be useful for years. Employees often log at least 40 hours per week on these computers. Over time, the hard drives within store and transmit thousands, if not millions, of sensitive documents, contact information, vital emails, calendar events, and more. These files remain on the disk long after users have finished working with and deleted them.

In the wrong hands, hidden files can be found and deleted files can be resurrected. It also means that you never know what someone can do with your hard drive.

Think this is an exaggeration? Just ask BlueCross of Tennessee, who lost 57 drives from a secure facility:

• They are now under the watchful eyes of 32 State Attorney Generals.

• Over $7 million has already been spent just to discover the scope of their loss.

• Managing this event could cost over $200 million.

But computers are just the beginning. As healthcare companies across the nation purchase new technology, they must get rid of the old technology safely. Consider these other pieces of equipment:

• Computer scanners, fax machines, and printers store complete or partial images of recent documents.

• iPhones can hold up to 32 gigabytes of sensitive information.

• Phones have a high turnover because people always want the latest and greatest.

• Employees often use tiny, easily lost USB drives to backup and transport files.

Far too often IT managers mistake no news for good news. It is unfortunately commonplace to hear the argument that lack of a data breach indicates they do not have any security leaks. This is not true. Security problems can go unnoticed for years. Failing to discover and eliminate those problems now can lead to costly PR campaigns, government fines and scrutiny, additional labor and oversight, and more.

Think this is an exaggeration? Remember that BlueCross of Tennessee could lose as much as $220 million after a single event. And the truth is that this can happen to almost any organization, as long as they store and transmit healthcare information.

• On average, a single exposed customer record costs a company $202.

• While numbers vary, a single IT asset can store thousands, even millions of such records.

Reducing the likelihood of data exposure can be accomplished in one of two ways. Organizations can make changes to ITAD standards and procedures internally, or they can team with a vendor. The rules for either are identical, boiling down to one simple idea:

• Verify that all data is inaccessible before assets leave the site.

One of the largest hurdles to overcome is the idea that, simply because management enacts policies requiring secure data wiping, the assets will be secure when they are gone, and your company is protected. The problem is that employees are trained to do their jobs, which often do not require them to be computer experts.

Even if employees are handed a list of instructions and secure tools, many have no way of verifying that the tools have performed their jobs correctly. Companies may be able to fend off some criminal costs by showing that all employees acted in good faith, even if they failed. However, you’re still responsible for the entire cost of discovery, which can easily reach the millions.

Whether utilizing current employees or a vendor, be sure that standards require information to be wiped while the asset is on site. Never ship assets to be wiped at a remote location. Why?

• In 2008, third parties were responsible for 44% of data exposure.

• The HITECH Act will hold healthcare organizations accountable for data exposed by third-party vendors.

In addition, never sub-contract work to others, and never team with a vendor that sub-contracts work out to other organizations. This makes tracking and verifying assets and employees more difficult, and introduces new opportunities for miscommunication.

Tracking IT assets is a good deal more complicated than verifying inventory reports. Every piece of equipment must be identified and tracked individually as it progresses through the ITAD process.

The best way to reduce human error is with an electronic verification system capable of recording the status of each asset, and comparing that status against a set of rules. This system should automatically alert employees to potential errors.

As mentioned above, even cell phones and fax machines can contain sensitive information. Do not forget to include these in an ITAD plan. If teaming with a vendor, ensure that they work with assets other than desktop and laptop computers.

BlueCross of Tennessee lost 57 drives because they were sitting in storage, waiting for someone to act. Even if assets are wiped on site, make sure that they are shipped quickly, through secure channels.

Do not rely on internal reporting to ensure that the previous steps are being followed 100%. Instead, demand third-party, quarterly verification of the following:

• Any technology used to wipe, verify, and track assets.

• Procedural compliance.

• Employee training and efficacy.

If ITAD is performed by an outside vendor, demand to see documentation of quarterly audits. In addition, ensure that regular criminal background checks are performed on all employees.