The earliest efforts at developing electronic health records originated in the 70s around the same time the digital movement began elsewhere.[i] Through government and industry interest these small scale databases have transformed into extensive organization systems with a myriad of data on thousands of patients. As these dynamic records evolve, dialogue on patient privacy and data security increasingly frequents conversations.
Primary securities for these records focus on protections while devices are connected to the network and internet. Nearly 60 percent of healthcare organizations admit budgets for data security have increased in recent years and for good reason.[ii] Every single IT professional surveyed in a recent healthcare study by the IDC revealed their organization had experienced a cyber-attack in the last year. This fact is made all the more believable as high-volume data breaches, and their hefty price tags, conquer news headlines daily.
As healthcare organizations face the ongoing battle of data protection, another threat creeps in. When technology in the hospital expires it’s easy to shut the machine off and believe the risk is gone. As network defenses shut down on non-working machines a new level of security must be powered on. This reality was made clear to NHS Surrey when it was fined £200,000 as a result of a data destruction company mismanaging its devices and leaking nearly 3,000 patients’ information.[iii]
Although these backdoor data security threats are less common, they have the potential to be just as harmful. The era of hospital technology has allowed for innovative ways to care for and communicate with patients, but it has also introduced new devices that retain data and require secure end-of-life management. Depending on the type of device, different retirement stipulations may apply.
What some may not realize is there are medical devices, such as certified decontaminated infusion pumps and sterilization equipment that contain data. A general rule of thumb is that if a medical device stores data it needs appropriate sanitization procedures. Some electronic medical devices are even mandated by law to have detailed support documentation of disposition, such as individual unit serial numbers or certificates of destruction.
Non-data bearing devices also need an end-of-life program, but will likely include separate conditions. Devices that contain hazardous components, data-bearing or not, generally have explicit decontamination and disposal specifications.
Additionally, there have been several recalls of electronic medical devices over the past few years. A study released by the U.S. Food and Drug Administration (FDA) showed a 97 percent increase in medical device recalls between 2003 and 2012.[iv] For these recalls, the FDA may require certified destruction of certain components or whole units.
In all of these instances the original equipment manufacturer (OEM) or an experienced and certified IT asset disposal (ITAD) vendor would be able to guide you on compliant action steps. Just as navigating through the disposition process can be challenging, so can identifying what distinguishes a trustworthy ITAD vendor. Organizations can leverage basic industry knowledge to achieve a systematic and efficient process for securely disposing of all healthcare IT assets and medical devices. To understand what data protection assurances a vendor offers determine the certifications and standards the vendor maintains.
Two of the most common recycling industry certifications are e-Stewards and The Responsible Recycling Practices Standard (R2), which have strict stipulations and frequent audits that work to ensure electronics do not end up in landfills or are exported to developing nations.
ISO 14001 is an environmental management standard worth noting as it aims to decrease the amount of pollution and waste a business produces. Increased attention to waste management demonstrates the likeliness that a vendor will work diligently to extract maximum value when recycling medical devices and hospital IT assets.
Also pay attention to any certifications the vendor voluntarily maintains. The care a vendor takes for the health and safety of its staff is a moral reflection of how it will protect your data while managing medical devices. Two standards to note are ISO 14001 which ensures there are processes in place to protect the environment and OHSAS 18001 which puts in place occupational health and safety practices that protect workers.
Also mind the standards by which the company conducts business, especially for data sanitation as each offers differing levels of protection. Using a vendor with data destruction standards signifies it is further inclined to act within hospital and legislative compliances such as the Health Insurance Portability and Accountability Act (HIPAA).
In addition, vendors that wipe data according to National Institute of Standards and Technology (NIST) specifications are usually reliable in ensuring data protection. Regardless, a trustworthy vendor should be open and transparent so always ask for a rundown of their standards and certifications.
ITAD security service offerings have come a long way and are not only improving in standards but convenience as well with newer portable data destruction services that can be performed at any location. If choosing this route, it’s best to ensure the wiped and/or shredded components will be properly dealt with on the backend as well.
With various associations and acronyms to refer to this process can bewilder decision makers. Some tips that may help simplify this process is to narrow contracts to as few vendors as possible, select companies with a history of working in the healthcare field, and ensure they’ll accept all of your medical devices and hospital IT assets.
Be aware of your hospital’s device retirement needs and the vendor specifications that meet them as you develop your healthcare device disposition strategy. Manufacturers of devices are also available for consult on recycling specifications – especially during a recall – and responsible IT asset disposition vendors are prepared to assist.
To view the most recent E-Solution News newsletter, click here.
[i] http://virtualmentor.ama-assn.org/2011/03/mhst1-1103.html
[ii] http://www.healthcare-informatics.com/news-item/survey-40-percent-healthcare-organizations-faced-10-or-more-cyber-attacks
[iii] http://www.theguardian.com/media-network/media-network-blog/2013/aug/19/nhs-surrey-data-breach-scandal
[iv]http://www.google.com/url?sa=t&rct=j&q=&esrc=s&frm=1&source=web&cd=2&cad=rja&uact=8&ved=0CCgQFjAB&url=http%3A%2F%2Fwww.fda.gov%2Fdownloads%2Faboutfda%2Fcentersoffices%2Fofficeofmedicalproductsandtobacco%2Fcdrh%2Fcdrhtransparency%2Fucm388442.pdf&ei=54x8VL3GG8usogTxyoCwDw&usg=AFQjCNFHD6HMhJHWkHE2OUkfBMKdKCwhsQ