Healthcare organizations are constantly making upgrades or replacing redundant technology, but what happens to these orphaned IT systems and the data on them More importantly do companies even know what data is stored on these assets
These are all questions that organizations should be able to answer, but so many cannot, says one expert, and that puts the individuals they serve at risk.
Jim Kegley is the founder and president of U.S. Micro Corporation based in Atlanta. The company has been around since 1995 and works with large Fortune 500 companies who are trying to get rid of older IT equipment. The company purchases the equipment outright and after destroying the data onsite is able to resell 90 percent of the equipment. Kegley says the company building a facility in Las Vegas to manufacture equipment like bike racks from the remaining 10 percent.
Kegley shared with Healthcare IT News the top five risks associated with orphaned IT systems:
Allowing an asset to leave an organization when data is still on it
Kegley refers to the story last year about the Massachusetts hospital that reported missing back-up tapes after they were picked up to be destroyed. “That is the biggest risk that we see,” he said. His company believes in destroying all data onsite to prevent this from happening. Or take for example the story that CBS news broke about buying used copy machines, adds Kegley. CBS purchased the machines very cheaply and found on one machine, purchased from a New York insurer, 300 pages of individual medical records.
According to Kegley, most of buyers of copiers are from overseas. “In my mind people are targeting that equipment because they know they are going to find meaningful data – like social security numbers,” he said. It might be years before they exploit the data, but that only makes it more difficult to find any type of paper trail, he adds.
Lack of awareness and education about what to do with end-of-life assets
Due to the explosion of mobile devices in large organizations, older assets are being retired, says Kegley. “Liability increases with the age of devices,” he said, and “it is typically harder to eliminate data."
But not wiping the data is a huge problem. Take for instance what happened recently in New Jersey, says Kegley. New Jersey was selling PCs at auction and close to 80 percent of the devices still had data on them – including child welfare records. “The state’s response was the cost to implement safeguards exceeded the value of the equipment,” he said. “That’s a really prevalent mindset.” And unfortunately a legitimate argument, says Kegley. “They don’t have records of what has left their environment, so it’s an open-ended question to what damage they have caused.”
Lack of internal controls and audit trail
Most organizations can’t give an account of all the devices they have and what data is on them, says Kegley. His company provides an audit report that checks an organization’s devices and whether they adhere to the organization’s policy. For example, having an audit of all your laptops could reveal which laptops were encrypted and which one’s are not, he said. Another problem that is common is that the laptop may be encrypted, but the organization has taped the password to the device, says Kegley. “We see the encryption as defeated in that case,” he says. Or some companies believe that just having their laptop password protected means that they don’t need to encrypt it, he adds. Case in point, the recent news concerning BP’s lost laptop that was not encrypted, but was password protected. “It takes about five minutes to break a password,” he says.
The mindset that there is only one solution to dealing with end-of-life assets
Kegley give the example of BlueCross BlueShield of Tennessee who had 57 hard drives stolen from one of their facilities. The hard drives were soon to be removed from the site and destroyed. “The problem is that it’s a lot easier to lose the keys than the car,” he says. “Once you separate the drives from the device, it becomes a major issue." Kegley says it has cost the insurer $7 million in forensics to identify what was on that drive. “You may have to apply different technique depending on the device, one solution doesn’t fit all.”
With emerging technology there is a lack of awareness – even by IT professions – that data can't be wiped to DoD standards
For example says Kegley, "while an organization’s Blackberry devices may be encrypted, it is not uncommon to find micro SD cards internal to the device that are not encrypted (we have seen unencrypted micro SD cards with 16 gigabyte capacities)." So if this device is lost or stolen personal information is put at risk, and even if you wipe clean the data on the microSD it could be recovered. "We recommend physical destruction of the media as there is no reliable method of destroying data otherwise." Although some may try to lay the blame at the feet of the manufacturers, “the obligation should always rest with the organization,” Kegley says. And if an organization cannot do it themselves then they should hire an outside organization to do it, he adds.
