Devices that store information are now everywhere and used multiple times by most people on a daily basis. From PCs, to laptops, to phones and tablets, to USB keys and external hard drives – the amount of data that a person can potentially store has grown exponentially over the past decade. While the convenience of near unlimited storage is very appealing, it also introduces new challenges. This is particularly evident when trying to take inventory of what data is on a device that is about to be donated, sold, simply thrown away, or that has stopped working.
While it is always a good idea to securely wipe devices that have had personal information stored on them, when it comes to PHI, it is a requirement. PHI doesn’t always stay in the cloud or on your EHR server. Reports can be saved to local drives. Data can be copied to a USB key to move it to another device such as a lab interface PC. As someone responsible for the data in your office, how do you know what data is on all these devices in your office?
The answer is simple: you don’t. When it comes time to decommission ANY device that was used in an office, err on the side of caution and have it properly wiped. This is not a simple “format”. There are regulations as to the quality of the secure delete methods that are required, and it should be done by someone that knows these regulations and can provide a certificate of proof, particularly when throwing a device away.
While most people seem to hesitate when it comes to disposing of a working PC, many don’t seem to consider a broken device to be a problem. One day that PC won’t power on, or that USB key no longer shows up when you plug it in. Many times, these items just get discarded thinking that the data is inaccessible because the device doesn’t work. This is not the case. Anyone can take a PC, remove the hard drive, and access the data. Hard drive encryption helps in these cases, but it is not the default configuration for new devices, particularly desktop PCs and external storage. If you aren’t sure if the device is encrypted, it likely is not. Even with encryption, there are times that a non-encrypted personal laptop is used until a replacement work laptop arrives. Months later when the personal laptop fails, the owner completely forgets that it may have PHI stored on it. And remember, we aren’t only concerned with PHI - personal information, passwords, tax returns, and bank statements – all forgotten about, but all extremely sensitive information if it was to fall in the wrong hands.
The bottom line is that any device, personal or professional, should never leave your possession without being properly wiped or physically destroyed by a trusted professional. Train employees that handle data and devices in your office to NEVER just throw out a device if it stops working. Limit or prohibit the use of any personal devices in day-to-day operations. Lastly, talk to your IT professionals about hard drive and portable device encryption, particularly for any device that is removed from the office or could easily be stolen.
Education, procedures, and proper diligence when disposing of used devices will determine if you are throwing out a pot of gold - or just a paperweight.
You may not be getting all you can out of your browsing experience
and may be open to security risks!
Consider upgrading to the latest version of your browser or choose on below: