In the rapidly evolving healthcare industry, the management and protection of sensitive patient
information have become paramount. Notably, amidst all industries, healthcare stands at the forefront in terms of data breaches, further amplifying the urgency to securely handle patient data throughout its lifecycle, from electronic health records (EHRs) to medical imaging systems and other critical facets. This task is further accentuated in the digital era, where the digitization of medical records and patient information presents new challenges in data security and privacy protection.
In this blog, we will explore the importance of data security in the medical and healthcare industry,
examine the evolution and implications of the Health Insurance Portability and Accountability Act
(HIPAA), and highlight the essential role of degaussers in end-of-life (EOL) healthcare data destruction.
- 100% Magnetic Media Data Destruction
- Efficient and Cost-Effective
- Degaussing vs Overwriting
- Shredding Is Not Enough
- Garner’s Degaussers and Destruction Cart
Importance of Data Security in the Medical and Healthcare Industry:
The medical and healthcare industry deals with vast amounts of sensitive data, including personally identifiable information (PII), medical records, diagnostic images, insurance information, and more. As technology advances, the healthcare industry increasingly relies on electronic storage media such as hard drives, solid-state drives (SSDs), and magnetic tapes to store this data. Protecting this information is essential to maintain patient trust, ensure confidentiality, and uphold regulatory compliance. However, when these storage devices reach their end-of-life or are decommissioned, ensuring the complete and secure destruction of data becomes a significant challenge.
A data breach in the healthcare sector can have severe consequences, including identity theft, fraud, compromised patient safety, and potential legal and financial repercussions for healthcare
organizations. A comprehensive data security protocol and EOL data destruction process must be a top priority to mitigate these risks and protect patient privacy.
Health Insurance Portability and Accountability Act (HIPAA)
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 marked a significant milestone in healthcare data protection and patient privacy. However, the evolving landscape of healthcare, with advancements in technology and the increased use of electronic health records (EHRs), necessitated updates and enhancements to HIPAA’s provisions. This led to the enactment of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009, which amended HIPAA and brought about significant changes to strengthen privacy and security measures.
Enacted in 1996, HIPAA was originally designed to address various healthcare-related issues, including health insurance coverage, portability, and accountability. However, it also introduced provisions to protect the privacy and security of individually identifiable health information, known as protected health information (PHI). The Privacy Rule and the Security Rule were two critical components of HIPAA that set standards for the protection of PHI and established guidelines for healthcare entities, health plans, and healthcare providers.
The Privacy Rule, implemented in 2000, focused on regulating the use and disclosure of PHI. It granted patients the rights over their health information, including the right to access their records, request amendments, and restrict certain disclosures. Covered entities were required to adopt privacy policies and procedures, appoint a privacy officer, and obtain written consent from patients for certain uses and disclosures of their PHI.
The Security Rule, established in 2003, expanded on the Privacy Rule by addressing the security of electronic PHI (ePHI). It introduced requirements for administrative, physical, and technical safeguards to protect ePHI from unauthorized access, disclosure, alteration, or destruction. Covered entities were obligated to conduct risk assessments, implement security measures, and develop policies and procedures to ensure the confidentiality, integrity, and availability of ePHI
The HITECH Act Amendments of 2009
The HITECH ACT recognizes the increasing use of technology in healthcare and the need for stronger privacy and security protections. The HITECH Act introduced several significant changes and provisions to enhance the effectiveness and enforceability of HIPAA’s privacy and security provisions:
- Expansion of HIPAA’s Scope: The HITECH Act expanded HIPAA’s reach by extending its provisions to cover business associates, including entities that handle PHI on behalf of covered entities. This expansion directly imposes responsibility on business associates to adhere to HIPAA provisions and holds them potentially liable for non-compliance with HIPAA regulations.
- Increased Penalties and Enforcement: The HITECH Act significantly increased the penalties for HIPAA violations. It establishes a tiered penalty structure based on the level of culpability, with maximum annual penalties reaching $1.5 million per violation category. The act also allocates additional resources for enforcement activities, including the hiring of more staff dedicated to HIPAA compliance and enforcement.
- Mandatory Breach Notification: The HITECH Act introduced the requirement for covered entities and business associates to provide notifications to affected individuals, the Secretary of Health and Human Services (HHS), and, in some cases, the media, in the event of a breach of unsecured PHI. This provision aims to enhance transparency and enable individuals to take necessary actions to protect themselves in case of a breach.
- Strengthened Privacy and Security Safeguards: The HITECH Act emphasized the importance of privacy and security protections for ePHI. It mandates covered entities and business associates to implement reasonable and appropriate administrative, physical, and technical safeguards to protect ePHI. It also requires covered entities to conduct regular risk assessments and develop policies and procedures to prevent unauthorized access or disclosure of PHI.
- Business Associate Agreements: The HITECH Act mandated covered entities to enter into written agreements, known as business associate agreements, with their business associates. These agreements are designed to clearly define the obligations and expectations regarding the responsibilities of the business associates in safeguarding PHI and complying with HIPAA requirements.
- Audits and Accountability: The HITECH Act directed HHS to conduct periodic audits of covered entities and business associates to ensure compliance with HIPAA regulations. It also requires HHS to establish a breach notification auditing program to assess covered entities’ compliance with the breach notification requirements.
The HIPAA Wall of Shame:
In addition to the stringent regulations set forth by HIPAA, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) maintains a public database known as the HIPAA Wall of Shame. This database, officially named the “HHS Breach Reporting Tool: Breach Portal,” serves as a powerful reminder of the consequences that can arise from inadequate data protection in the healthcare industry.
The HIPAA Wall of Shame was established as part of the HITECH Act with the purpose to promote transparency and public awareness regarding breaches of protected health information (PHI) that impact 500 or more individuals. Covered entities and their business associates are obligated under HIPAA to report breaches to the OCR, and the Wall of Shame provides a publicly accessible platform for tracking these incidents.
The portal showcases a range of incidents that have compromised patient privacy. Each listing includes details such as the name of the breached entity, the state where the breach occurred, the number of individuals affected, the type of breach, and the date of the breach. This public display of breaches serves as a stark reminder of the critical importance for robust data security measures and strict adherence to HIPAA regulations.
- Anthem Inc. (2015): One of the largest health insurance companies in the United States, Anthem Inc., suffered a significant data breach in 2015. The breach exposed the personal information of nearly 78.8 million individuals, including names, social security numbers, birth dates, and medical IDs. Anthem reached a settlement of $16 million in 2018 with the HHS, and in 2020 a settlement of $39M with the State Attorney General, and a whopping $115M class-action lawsuit settlement, all of which highlight the significant financial consequences that organizations may face following a breach.
- UCLA Health (2015): In 2015, UCLA Health suffered a significant data breach that affected approximately 4.5 million patients. The breach occurred when cybercriminals gained access to a network containing sensitive patient data, including names, social security numbers, medical conditions, and treatment histories. UCLA Health finally reached a $7.5 million settlement in 2019.
- American Medical Collection Agency (2019): This incident compromised the financial and personal information of millions of patients, as the breach extended to multiple healthcare providers that utilized AMCA’s billing services. After the breach, AMCA filed for bankruptcy in June 2019 and later in March 2021 reached a settlement with 41 state attorneys general for $21 million. The AMCA breach not only resulted in severe financial and reputational damage to the breached entities but also exposed vulnerabilities in the third-party ecosystem.
By exposing these breaches, the Wall of Shame aims to encourage healthcare organizations to prioritize data privacy and security, implement robust safeguards, conduct thorough risk assessments, and take prompt action to report and mitigate any breaches that occur.
The Vital Role of In-house Degaussers in EOL Healthcare Data Destruction:
Proper data destruction is critical when electronic devices, such as computers containing hard drives, become obsolete or reach their end-of-life. Degaussers, hailed as the guardians of data destruction, offer a robust solution to mitigate the risks associated with improper disposal of magnetic media.
100% Magnetic Media Data Destruction
Degaussers offer unparalleled security by ensuring that all data stored on magnetic media is thoroughly and permanently destroyed. Degaussers utilize powerful magnetic fields to completely disrupt the magnetic data storage field patterns on hard drives, tapes, and other magnetic media. By eliminating the magnetic data, the process renders all EOL data unreadable and unrecoverable. Even the most advanced data recovery techniques would fail to extract any information from a properly degaussed device.
This level of complete data destruction is crucial in healthcare, where the protection of patient privacy is of utmost importance. By using a degausser, healthcare organizations can ensure that patient records, medical histories, and other sensitive data are permanently destroyed, eliminating the risk of unauthorized access or data breaches from EOL hard drives.
Efficient and Cost-Effective
Degaussers offer a streamlined and automated process, enabling swift and efficient destruction of hard drive data. This process can be performed in-house by existing employees without requiring specialized training. By ensuring every EOL hard drive undergoes thorough and total data sanitization before leaving a facility, degaussers provide the ultimate EOL data security, effectively eliminating the risk of a data breach. This not only saves time and costs for healthcare organizations but also contributes to enhanced end-to-end data protection. Garner offers a range of degaussers capable of complete data erasure on hard drives and tapes as quickly as 3 seconds, with the ability to process up to 3,600 units of 1.8-inch hard drives per hour. If you’d like to learn more, contact Chris Trevino at email@example.com.
Degaussing vs Overwriting
Traditional methods such as software-based overwriting are time-consuming. A single-pass software-based overwriting can typically take several hours to complete for an average-sized hard drive and could take significantly longer for multiple passes. Overwriting is also subject to human and operational errors and leaves sectors of sensitive information intact, vulnerable to retrieval and data breaches. It is worth mentioning that since June 2007, the Defense Security Service (DSS) has explicitly stated its disapproval of any overwriting procedures as a reliable method of data destruction. Similarly, the National Security Agency/Central Security Service (NSA/CSS) does not classify overwriting as a secure means of effectively destroying data. This recognition underscores the potential risks and vulnerabilities inherent in relying solely on overwriting to eliminate sensitive PHI, highlighting the need for more robust and effective data destruction methods to ensure HIPAA compliance and safeguard patient privacy.
Shredding Is Not Enough
If you’re considering shredding as a secure data destruction method, think again. Despite its widespread use, shredding does not guarantee complete data destruction. Merely altering the physical size of a hard drive through shredding does not render the data destroyed and irretrievable. Even minute disk fragments measuring 2mm², equivalent to the thickness of a pencil lead, still contain recoverable data. Furthermore, the mechanical process of reducing a hard disk drive (HDD) to such a minute particle size entails the use of large, expensive, and noisy machinery that consumes significant power and generates substantial airborne dust.
Garner’s Degaussers and Destruction Cart
By contrast, Garner’s degaussers offer a compact and portable solution for secure, complete, and in-house data destruction. These devices are small, comparable to a CPU, and lightweight, ranging from 35 to 105 lbs. Garner’s custom packages emphasize mobility, allowing them to be easily shipped worldwide and transported into various settings, including offices, data centers, or warehouses for in-house degaussing to maintain chain of custody. With a simple plug into a standard wall outlet, degaussers swiftly complete a cycle in seconds.
When the degausser is used with Garner’s exclusive and cutting-edge IRONCLAD system, a powerful automated destruction and verification process captures JPEG images of the storage media before and after degaussing, generating comprehensive records for audit and archival purposes. By incorporating this state-of-the-art technology, healthcare organizations can ensure secure and verifiable data destruction.
In-house degaussing plays a vital role in ensuring the complete and thorough destruction of EOL hard drive data. Healthcare organizations must prioritize the implementation of in-house degaussing processes to guarantee the 100% destruction of HDD data before allowing any EOL drive drives to leave their facilities or be handed over to third-party vendors. In situations where in-house EOL data management is not feasible, careful consideration must be given to selecting third-party data service providers. It is crucial to evaluate these providers rigorously to ensure that they can deliver the same level of meticulous and comprehensive data sanitization.
Third-Party EOL Data Protocol Checklist
In the realm of data security, it is common for data security teams or the I.T. departments to place a strong emphasis on frontend cybersecurity, often neglecting the critical aspect of physical EOL data destruction. This oversight is particularly noteworthy when companies store their data in off-premises locations, on the cloud, or in co-location facilities. To ensure the utmost security of sensitive healthcare information, healthcare organizations must actively hold their data service providers accountable by demanding transparency and inquiring about their EOL security processes.
To help you in your assessment of data service providers’ physical EOL data destruction processes, we have created a comprehensive checklist that you can download and use as a reference. This checklist includes critical assessment in the following categories, allowing you to keep track of the information provided by each potential service provider. Download the Third-Party EOL Data Protocol Checklist.
- Data Destruction Processes
- Certifications and Compliance
- Documentation and Auditing
- Verification and Proof
- Subcontractors and Subprocessors
- Chain of Custody
- Employee Screening and Training
- Disaster Recovery and Business Continuity
Remember to carefully review the answers provided by your data service provider and evaluate their credibility. It may be beneficial to involve legal and security experts to verify their claims and ensure compliance with your organization’s data security requirements.
The HITECH Act introduced important provisions that prohibit covered entities from contractually transferring or contracting away their responsibilities related to healthcare data protection, even if they enter into a business associate agreement. You, as the collector of data, are ultimately responsible for maintaining the security and confidentiality of sensitive data, as well as the extension of such responsibility through a third-party data service provider of your choice.
Protecting patient privacy and ensuring data security must be a top priority for healthcare organizations, and thorough due diligence is essential when selecting a data service provider. By taking the necessary precautions and asking the right questions, you can ensure that your sensitive healthcare data is handled securely throughout its lifecycle, including its ultimate destruction.
Data security is a critical concern in the medical and healthcare industry, where the privacy of patient information must be safeguarded at all costs. Yet, it is the healthcare industry that bears the burden of experiencing the highest number of data breaches. HIPAA has played a pivotal role in establishing national standards for protecting sensitive data, while the HIPAA Wall of Shame serves as a stark reminder of the gravity of data breaches and their consequential aftermath.
It is imperative that no end-of-life media should ever leave a facility without undergoing the degaussing process. The degaussing process guarantees the thorough destruction of HDD data, providing the highest level of assurance against data breaches. By proactively implementing robust data security measures and integrating in-house degaussing into their data management protocols, healthcare organizations can fortify their data security efforts, uphold regulatory compliance, trust, confidentiality, and integrity of patient information, while safeguarding the industry’s reputation.
About Garner Products
Garner Products designs and manufactures premium equipment that delivers complete, permanent, and verifiable data destruction. For over 60 years, Garner has provided the education, systems, and support that enable customers worldwide in all industries to securely destroy data.