Jay Rath
If you’ve ever wanted to take a sledge hammer to your medical records system, be careful! You want to make sure and do a good job.
We’re talking about hardware. As HIT advances, we’ll continue to decommission parts of legacy systems. “They’re likely to contain patients’ financial or protected health information, and special care is needed in disposing of devices such as desktop and laptop computers, servers, tablets, hard drives, USB ‘thumb’ drives, copiers or any electronic storage devices,” warns Health Data Management.
You’d think it would be easy enough to crash your system permanently, but such is not the case. And despite what you see on TV, don’t try pouring Coca Cola onto the hard drive, or (our favorite) shooting it, as seen in Diagnosis Murder. Also seen in that hospital whodunit starring Dick Van Dyke: wiping a mainframe with a metal lunchbox that’s been magnetized.
Before you reach for a magnetized banana, follow this advice from the Office for Civil Rights of the Department for Health and Human Services:
Make sure your data-disposal plan is up to date. Hopefully your health system has already given this thought. Such a plan should include media sanitation, and hardware or software disposal.
Remove identifying marks. Decals or stickers will signal that the hardware or storage device might contain financial or personal health information.
Identify and isolate all asset recovery-controlled equipment and devices. First, a definition. Let’s say you’re hacked and infected with ransomware. This is all the stuff you have on hand in case your whole system crashes. It’s your back-up devices or “memory media.” “These devices are likely to contain vast stores of corporate information from an organization,” warns Health Data Management. “By contrast, an individual laptop might only contain information important to the individual who was using it.”
Don’t let just anyone remove your garbage. Well, that may be okay if it’s your old foosball table you set by the curb. But if you’re a health system, you might want to contract with a firm that specializes in cleaning and destroying IT and memory devices. Make sure the company is certified. “Such certifications include compliance with NIST standards, and those specified by HIPAA and HITECH, the Sarbanes-Oxley Act, the Gramm-Leach-Bliley Act and others. Entities should be members of the National Association of Information Destruction and have AAA Certification for both mobile and plant-based operations.”
Watch the middle. So you’ve found a great firm that destroys it all, and it’s certified by that mouthful of organizations above. So you put it on the loading dock and wait for pick-up? Call Uber for delivery? Nope. “Healthcare organizations must ensure that individuals vested with this responsibility can be completely trusted. All individuals handling the organization’s assets should be subjected to workforce clearance processes and undergo training.”
Determine the scene of the crime. Kids, don’t try this at home! When murdering a hard drive, you’ll save trouble if you do it onsite, in your own building.
Avoid zombies. You know how they keep coming back no matter how many times you kill ‘em? It’s the same with IT. You can never kill it enough. Delete, then overwrite and then (this is the fun part) destroy. “Burning, melting or pulverizing,“ sounds like good clean fun, “but devices also can be rendered inoperable by pounding nails or drilling holes into hard drives.” Admit it. You know you want to.
For more information, check with the Office for Civil Rights of the Department for Health and Human Services.
Moxe suggests you trash all inefficient manual processes and instead go with the fully digital and automatic network connecting payers and health systems.