The digitization of the healthcare industry has had some awesome and amazingly positive results – there’s no denying that. At the same time, it’s also caused many health organizations to blunder headfirst into a sea of HIPAA violations, most of them related to electronic Protected Health Information (ePHI). One area that seems to be frequently overlooked involves the proper disposal of such data, and the devices on which it’s stored – let’s talk about that.
Eventually, every electronic device needs to be replaced. Whether due to failure or simply obsolescence, hardware upgrades are an essential part of life cycle management. That’s as true in the healthcare space as it is anywhere else.
For health organizations, however, there’s an additional challenge – ensuring that old devices, whether they’re being disposed of or recycled, do not contain any Protected Health Information (PHI). What many people don’t realize is that it isn’t enough to simply delete sensitive files from a hard drive. Given enough time, effort, and expertise, a deleted file can be recovered.
See, on traditional hard drives, when a file is deleted, it’s not removed from the drive’s memory immediately. It continues to exist in the sectors that originally contained it until those sectors are overwritten. Solid state drives work a little differently – files deleted from an SSD are removed immediately.
That isn’t to say deleted files are impossible to recover from SSDs, mind you. The process responsible for immediate deletion – known as TRIM – does not function on older versions of Windows, nor do they operate in the majority or RAID environments. Without TRIM, SSDs must rely on a set of processes known as Garbage Collection, which flags pages on the drive with recent file activity as ‘good’ and prevents them from being overwritten.
The problem is that particularly with older SSDs, GC has no way of distinguishing between deletion, editing, or creation – it paints all of these actions as ‘activity.’ While modern SSDs have made GC a little smarter than it was in the past, there is still a chance that deleted files may be recoverable. And in the case of PHI, that’s a very, very bad thing.
HIPAA has strict rules concerning the disposal of electronic devices and media for precisely this reason. Once hardware is no longer under your organization’s control, it cannot contain even a shred of confidential data. To achieve this effectively, you’re going to need to do a few things.
First, I’ve two words for you: data hygiene.
Make sure you know where all confidential information is stored within your organization, who has access to that data, and how that data is being used. If you do not have complete visibility into and control over all ePHI within your organization, you are not HIPAA compliant. It’s important to note that this also includes mobile devices, so a strict acceptable use policy and some form of file control system are both must-haves.
Speaking of control, it should go without saying that all PHI must be encrypted and access-controlled pursuant with NIST Guidelines (both in-motion and at-rest). Decryption tools should be stored on a separate server and in a separate location from the data they’re used to encrypt, as well. Otherwise someone who breaks into a server containing PHI could have access to those tools.
Hygiene and cybersecurity aside, it is your responsibility to ensure your organization has clear processes and policies in place for the secure disposal of ePHI. A system that you are decommissioning should be put through a secure, comprehensive sanitization process, and then irreversibly destroyed if it is not to be recycled. You must also pay special attention to how old hardware is stored and transported prior to disposal – though unlikely, there is always a chance that something may be lost in transit.
One last thing I should note is that you should also have a method for securely transferring PHI from older systems to newer ones prior to deletion. Whether that involves restoring it from backups or doing a direct transfer is entirely up to you.
Eventually, even the most reliable system will need to be replaced. If that system contains Protected Health Information, it’s your responsibility to ensure that data does not fall into the wrong hands. Proper disposal of ePHI is every bit as important as protecting it while it’s in-use.