It's there, somewhere deep within the bowels of your local hospital: that storage closet full of old IT equipment, its hard drives replete with patient health and financial data. Uncertainty about compliance with HIPAA and other privacy laws, and the lack of budget to deal with equipment at the end of its life, mean many health-care organizations are unsafely stockpiling old equipment.
Unfortunately, that strategy puts them at risk. Peruse attrition.org, or even the daily business pages, and a bone-chilling picture will emerge about just how vulnerable sensitive information can be to loss, theft and accidental leakage. Even hospitals that take active steps to sell, donate or destroy old computer equipment can be inadvertently exposed, if those processes are not performed according to best practices. Lost or stolen data can rapidly rack up literally millions of dollars in costs.
But all is not lost - VARs can help. Selling complete life-cycle services, from procurement through end of life, means VARs can deliver peace of mind and relief from liability, while assuring that they play a role in every refresh. A range of services and technologies have emerged, enabling VARs to help customers make the right decisions about dispensing with unneeded equipment.
Knowing the Regulations
HIPAA is the 1,000-pound gorilla impacting health care, and like many aspects of the law, it's frustratingly vague about data security.
"It's a generalized statement that refers to the liabilities that come into play if an organization has lost medical data," says Jack Thorsen, senior vice president of strategic development for Ensconce Data Technology (EDT), a data destruction vendor based in Portsmouth, N.H. HIPAA penalties may include $50,000 to $250,000 per incident in fees, one to 10 years in prison and $25,000 in individual civil fines.
Last July, Sens. Patrick Leahy and Edward M. Kennedy introduced what's been called HIPAA 2 to upgrade health-care privacy regulations. The bill included requirements to establish and upgrade technological, administrative, organizational, technical and physical safeguards to secure protected health information. While the ultimate outcome of this and similar legislation is uncertain, the movement toward more requirements is clear. Canada enacted its Health Information Protection Act in 2004.
Sarbanes-Oxley regulations also apply, for publicly held companies. Individual states have also been enacting data privacy laws, most notably California's SB-1386, which requires all potential victims be notified. In December 2007 alone, breaches were revealed at West Penn Allegheny Health System, Sutter Lakeside Hospital, Beacon Medical Services, Memorial Blood Centers and Community Blood Center/Battelle & Battelle LLC. From 2005 through 2007, 217 million records containing sensitive personal information were breached in the U.S., according to the Privacy Rights Clearinghouse. Some estimates put the well-known breach of 26.5 million records by the Veterans Administration in May, 2006, at $26.5 billion.
"Disposal is now a high-risk maneuver," says Chris Adam, director of asset disposal services for Converge's NextPhase. "What used to be a no or low cost, now costs money."
Degrees of Destruction
Some hospitals maintain policies that require hard drives be destroyed to eliminate liability - but few budget even for this step, and current processes often leave gaps in security.
The rise in breaches has shed light on best practices and the pros and cons of the many technologies available to address this data. Consider rising concern about the environmental impact of all that old equipment sitting in landfills, and the time is ripe for a better approach.
Many industries follow the government's lead when it comes to data security. The National Institute of Standards and Technology's Special Publication 800-88, Guidelines for Media Sanitization, breaks disposal methods into four groups:
Disposal: as is, without sanitization.
Clearing: such as overwriting.
Purging: such as Degaussing or Secure Erase.
Destroying: this includes disintegration, incineration, pulverization and melting.
Another set of guidelines that have been established is the Department of Defense 5200 Sanitize Standard.
The selection of a sanitation method depends on several things, including the nature of the data and the next step for that equipment: Can it be reused internally? Donated? Returned to the leasing company? Reconditioned and resold? Broken down for parts? The average lifespan of a laptop is two years; a desktop machine, three; and a server, three to five years, according to Gartner Research. IDC estimates 40 million PCs and laptops were retired in 2006.
Another consideration is ensuring limits on who has access to equipment while it awaits its next step. Similar to crime evidence, unneeded hard drives must to go through a chain of custody to ensure secure travels, and that chain must be documented along with certification, proving that the data has indeed been eliminated. Limiting liability depends upon strict adherence to these procedures. Selecting a vendor to provide these services must also be performed with care - EDT claims that 52 million records have been lost by third-party data destruction firms. Some experts even recommend using hard drive-preserving sanitation processes when moving equipment from one user to another, or when equipment is being sent out for servicing.
The stakes are particularly high for health-care organizations because they hold both financial and medical data.
"Most health-care organizations are well aware of their responsibilities concerning data," says Roger Detzler, CTO at EDT. "Most have solutions in place, but they're typically very time-consuming and cost-prohibitive," a problem that's getting magnified as data volumes and technology use increase.
"Health care is one of those industries that really needs to plan for end-of-life disposition in advance," says David Bernstein, president of AnythingIT, an IT asset management and disposition provider based in Fort Lee, N.J.
Weighing the Pros and Cons
Each data destruction technique has its own set of pros and cons, and they're not mutually exclusive. A "clearing" or "purging" technique may be used to sanitize the hard drive on site, for example, before it's transferred for shredding (hard drive shedding uses different equipment than paper shredding). Many service providers offer a range of techniques to fit the varying client needs and budgets.
A fairly new kid on the block among data destruction techniques is Secure Erase. The technique was created by members of the hard drive industry, the Center for Magnetic Recording Research, and the National Security Agency to certifiably sanitize hard drives beyond forensic reconstruction while enabling equipment reuse. Manufacturers began embedding the destruction command in the firmware of ATA/IDE and SATA hard drives in 2002. However, BIOS and Operating System developers later blocked the ability to initiate Secure Erase to avoid accidental or intentional implementation, and the command has been little-used.
But there was still hope. In February 2007, EDT introduced an appliance to invoke Secure Erase, which is known as the Digital Shredder. Priced between $12,000 and $15,000, the Digital Shredder uses an internal disk drive code to perform low-frequency recording. It can erase up to three hard drives at once, and disks can be of mixed type - ATA/IDE, SATA or SCSI. It supports 2.5-inch and 3.5-inch drives.
Gartner Research has put the per-PC cost of sanitizing by destruction or overwriting at $84 to $135. A simple ROI calculation for a given method takes into account the number of drives to be tested and the savings to be recouped through re-use, sale to secondary markets and reduction of third-party costs. Cost calculation should also include differences in labor, handling, storage of drives in high security areas pending pickup, or the cost associated with the risk of loss of data by third-party handlers.
Environmental impact must also be considered. Customers are increasingly interested in avoiding landfills and hazardous waste, boosting interest in solutions that reuse as much of a computing device as possible. "Green" is still the No. 2 priority after reducing risk, says NextPhase's Adam.
Opportunity Knocks
There's a considerable upside for VARs when it comes to data destruction. "Channel partners can increase their value to the customer by providing additional solutions," says NextPhase's Adam. By using techniques that allow for resale, partners "recover additional funds for the customer to acquire new technology. We've found end-of-life issues were delaying acquisitions." AnythingIT's Bernstein suggests building end-of-life services into the initial sale.
One way VARs can break into this area is partnering with third parties or creating their own services. AnythingIT, for example, is a national service with three facilities across the United States. It offers a range of discounted service programs to VARs through CompTIA and Tech Data to enable secure, eco-friendly disposal.
EDT is seeking to roughly double its current count of 20 reseller partners touting the Digital Shredder, and may enable its resellers to sell it as a service. "There is margin opportunity and consulting opportunities," says EDT's Thorsen, such as helping clients determine levels of risk and the appropriate destruction approach. Two resellers in Canada use the Digital Shredder as a service provider, says Ryk Edelstein, president of Converge Net, a Canadian reseller and distributor for the Digital Shredder. Training takes about 60 to 90 minutes.
VARs considering relationships with third parties should investigate the potential vendor's bonding, insurance, hiring practices, auditing and certification capabilities, security processes and environmental practices as well as their data destruction services. In fact, The National Association for Information Destruction's (NAID) 950 members include 340 that have undergone certification to the association's standards, including paper and physical hard drive destruction. Data sanitation service certification will be added this year, along with a destruction compliance toolkit. The Phoenixbased group, which represents companies providing information destruction services, also maintains a code of ethics for providers.
"If something happens, yes, it's bad, but even worse is to find a company has done no due diligence in choosing a vendor," says Bob Johnson, executive director of the NAID. "The damage is even worse."
Health-care organizations can no longer afford to make end-of-life data protection an afterthought. Savvy VARs will step in with solutions that not only provide these operations the security they need, but ensure their own role in the ongoing technology refresh process.
It's there, somewhere deep within the bowels of your local hospital: that storage closet full of old IT equipment, its hard drives replete with patient health and financial data. Uncertainty about compliance with HIPAA and other privacy laws, and the lack of budget to deal with equipment at the end of its life, mean many health-care organizations are unsafely stockpiling old equipment.
