Secure it asset disposition: achieving valuable outcomes for healthcare

The risks of not having an IT asset disposition solution are substantial. Here’s how healthcare organizations can dispose of end-of-life IT assets and media successfully to protect patient and sensitive information while achieving security, compliance, and environmental goals.

THE HEALTHCARE SECTOR SUFFERS THE MOST DATA BREACHES among all industries. In the first half of 2018, U.S. healthcare organizations reported 229 data breaches, affecting more than 6 million individuals. The number of these incidents has been rising steadily since 2010.

That statistic alone demonstrates why data security is the top concern among IT leaders in the healthcare industry. In addition, they’re grappling with a wide range of regulations that affect IT asset decisions, especially around the disposal of retired or obsolete equipment.

With the right IT asset disposition program, however, healthcare organizations can:

• Improve data security and privacy, while complying with new and changing global regulatory requirements
• Lower total cost of ownership (TCO) through remarketing
• Minimize impact on the environment

THE STAKES ARE HIGH

Data breaches are an ongoing concern for all organizations. Yet, as hospitals and medical facilities increasingly collect digital data, the stakes are rising. Hospitals are already using an average of 10 to 15 connected medical devices per bed. As the proliferation of these devices expands, the risk of breaches also escalates.

One MRI machine may contain thousands of patients’ images; one human resource employee’s laptop could contain sensitive patient, employee, and organizational data. If these devices are not properly handled at the end of their lifecycle and fall into the wrong hands, the organization could suffer data theft, damage to reputation, and/or face regulatory penalties or fines.

Healthcare IT leaders are keenly aware of the challenges surrounding IT asset disposition (ITAD). In a recent IDG survey, they listed their top three obstacles as:

• Data security
• Chain-of-custody security risks
• Proper environmental recycling

In addition, IT leaders within healthcare say they’re aware of the multitude of regulations affecting ITAD, such as the Health Insurance Portability and Accountability Act (HIPAA) as well as EPA and FDA regulations.

There’s a disconnect, however, between recognizing the challenges, risks, and regulations and taking actions to avoid data security problems upon IT asset disposition. For example, the IDG survey revealed that:

• 58% of healthcare organizations do not have a formal ITAD policy in place
• 47% handle equipment disposal entirely in house
• 29% dispose of old equipment in the trash

“Unfortunately, healthcare organizations are susceptible to a variety of security risks,” says Brooks Hoffman, a member of the Secure e-Waste and IT Asset Disposition team at Iron Mountain.

For example, the industry is undergoing significant merger and acquisition activity, which makes IT asset disposition more complicated. In addition, more small clinics, urgent care centers, and facilities have mobile employees, making it harder to control all the different data-bearing devices.

These situations make having an ITAD policy in place all the more important. The good news is that the solution isn’t complex or burdensome.

SECURE IT ASSET DISPOSITION: THE BENEFITS OF COMPREHENSIVE COVERAGE

A properly designed secure IT asset disposition (SITAD) program meets all of an organization’s goals. Asked what they’d most like to see in such a program, IT leaders in the healthcare industry said:

• Meet HIPAA requirements and data privacy regulations
• Ensure the security of sensitive data
• Provide a consistent, reliable, secure chain of custody
• Reduce the burden on internal resources
• Comply with environmental regulations

A comprehensive SITAD program does all that and goes further. For example, Iron Mountain’s solution gets healthcare organizations started with a framework for ITAD policy creation. This template includes procedures for asset tracking, data security standards, data destruction guidelines, and regulation compliance — specific to industry needs.

The right SITAD solution also instills confidence in a secure chain of custody when IT assets are disposed. For example, some ITAD companies use third-party services to haul away old equipment.

Those vendors sometimes subcontract the logistics or trucking aspects, which puts the chain of custody into question. Consider the risks if the hauling company driver doesn’t lock his vehicle while your IT assets are inside.

Healthcare organizations should work with ITAD vendors who are certified by independent, standards-setting bodies such as e-Stewards^®. This ensures that there’s no cutting of corners in regulations and standards compliance.

ITAD vendors also can help address environmental and social responsibility goals by diverting IT assets from landfills and other waste streams. There is a lot of complexity in this area, because each U.S. state and municipality may have specific requirements in addition to federal regulations for electronic waste.

Finally, because healthcare organizations are under constant pressure from a cost standpoint, they should consider remarketing end-of-life IT assets. With help from the right ITAD partner, facilities and hospitals can retire old equipment and gain maximum resale value, which will lower TCO.

THE BOTTOM LINE

Healthcare organizations have a great deal of sensitive data at stake, particularly if they don’t have a secure IT asset disposition program. Getting ITAD right, organization-wide, is crucial.

“If 75% of the organization does ITAD the right way, it means that 25% is doing things the wrong way. That’s a problem,” Hoffman says.

Iron Mountain’s Secure IT Asset Disposition solution helps organizations ensure that IT assets are destroyed, recycled, or repurposed properly for maximum value. Find out more: www.ironmountain.com/sitad