Safe Data Disposal. By Noah Dermer
We are motivated to properly dispose of certain items because we want to do our part to protect the environment and don’t want to risk doing harm to ourselves and others. What we don’t always realize is that similar motivations should influence how we dispose of data.
Think about all the data that might be stored on some of your old electronic devices. For example, your smart phone—a device that many of us use to store almost all of our personal information—may still have personal data left on its internal memory even after you remove the SIM and SD cards. As technology advances and more of our devices are becoming “smart,” it is critical to properly dispose of all electronic devices, from your old computer (where you paid all of your bills) to your SmartTV (where you accessed your Netflix, Hulu, and Amazon accounts).
To investigate how often data remains on electronic devices, the New York-based computer forensics firm Kessler International purchased 100 hard drives on eBay. After analyzing the drives, they found that 40 of them contained personal, private, or sensitive information. Some data was retrieved with special forensics software, but other drives contained sensitive data that was completely visible, having never been overwritten or erased. Of the data retrieved, 36 percent was personal and confidential information, 21 percent were emails, 13 percent were photos, and 11 percent were corporate documents.
Numbers like that are extremely concerning to me, but if you’re not a very private person, you might think there is little risk in someone finding some of your old emails and photos. The reality is your information is extremely valuable on the black market: Social Security numbers are worth $250-400, US credit cards with track data are worth about $12 each, and bank account information can fetch upwards of $1,000. There is a market for your data, which is why it is critical to properly dispose of electronic devices and documents to protect your personal and confidential information from being exploited.
I don’t want you to be intimidated by big numbers and dollar signs. It is actually very easy for anyone, including billing services, to properly destroy data. Just follow a few simple rules:
- To dispose of magnetic devices (e.g., old floppy disks and standard hard drives), shred or degauss them.
- To dispose of flash-memory-based devices (e.g., USB thumb drives and solid-state drives), shred them.
- To dispose of paper documents, shred them.
For more specific instructions for destroying data, check out the Guidelines for Media Sanitization from the National Institute of Standards and Technology (NIST).
It is also crucial that healthcare organizations consider where they dispose of data. Leaving anything that could contain confidential information in an environment where it is vulnerable to exposure could put you at risk for a HIPAA violation and incur serious fines and penalties. In April 2015, Cornell Prescription Pharmacy was hit with a $125,000 fine for disposing of documents containing protected health information (PHI) in a dumpster that was easily accessible to the public. In June 2009, the US Department of Health and Human Services Office for Civil Rights served Parkview Health System with an $800,000 fine for leaving 71 cardboard boxes of patient medical records on the driveway of a physician’s home, 20 feet from the public road, and not far from a heavily-trafficked shopping center. These fines could have easily been avoided if the organizations followed proper procedures for destroying and disposing of data. When in doubt, consult NIST’s Guidelines for Media Sanitization.
Keep in mind that the less data you keep around your home, office, or data center, the less information there is to take. In my Security Corner on the InstaMed blog, I have discussed advanced payment technologies that healthcare organizations like billing services can use to securely store patient data electronically without storing data on USBs or keeping paper copies of personal information around the office. By leveraging such technologies, billing services can protect sensitive information for their provider clients and avoid a data breach, which could result in irreparable damage to your business’s reputation.