There’s no shortage of memory media at healthcare organizations; maintaining control of their whereabouts is a significant challenge for IT staff.
Even hard drives, which are wired into computing devices, can be hard to track when they’re removed. Centene, a health insurer offering coverage through the Medicaid, Medicare and health insurance exchange markets, recently announced that it could not account for six hard drives after it conducted an inventory of its information technology assets. Those hard drives contained personal health information or other data from about 950,000 individuals.
The company will offer protective services and is reviewing its IT asset management procedures. However, it isn’t alone in the struggle to track IT assets, says Tom Walsh, president and CEO at tw-Security, a healthcare consultancy. “It’s almost impossible to have true accountability of media in an organization,” he notes.
That’s particularly true for larger healthcare organizations, which have a lot of hard drives, thumb drives and other devices floating around, says Kerry McConnell, principal consultant at tw-Security. An organization can track devices with a bar code, but that only picks up the serial number of a device, not where it is.
Mark Dill, a principle consultant at tw-Security, advises healthcare organizations to develop a chain of accountability process for encrypting any external devices holding any level of protected health information or intellectual property that an organization would not want to see compromised.
This is an expensive proposition, especially for smaller organizations, Walsh says, but he contends that it could be less expensive than dealing with a HIPAA corrective action plan and financial penalty.
The chain of custody also includes knowing which employees have which devices, Dill says. If a device was entrusted to a specific worker who was terminated or otherwise is leaving the company, IT should be aware that the device must be secured and not among the items taken by the employee.
In general, organizations shouldn’t assume that employees are going to act responsibly with sensitive information. Walsh adds: “Get tools to encrypt data being moved to a portable device. If we rely on employees to encrypt, they are going to forget to do it.”
All portal devices with encryption should have a password and a “master” password, so if a user forgets the regular password, the master password will permit access to the device. Dill uses a fingerprint scan on his devices. “While I have forgotten many passwords in my life, I have never forgotten my finger.”
Organizations also should make sure that someone else’s fingerprint or password (in addition to the user) is registered on a device so data can be accessed by someone other than the user, if necessary.
Best practices for protecting IT assets, according to tw-Security consultants, include:
Governance: Defining who (by name) is responsible for media use, asset management and encryption plans or processes.
Policy: A media handling process should articulate the strategy and procedures for protecting media throughout its entire lifecycle, which includes the assumption that all data created inside the organization is worth protecting.
Process: Keep hard drives labeled as to their sources: workstation, server, multifunction device (such as copier/scanner/fax/printer), and biomedical devices. Sanitize hard drives before reuse or disposal. Physically secure hard drives; sometimes they get stolen for the gold, silver or copper inside them.
Tools: Encrypt just about everything containing confidential information. “Centralized software encryption tools in concert with data loss prevention tools can enforce what information gets encrypted while managing the encryption keys,” according to tw-Security. “If devices do not report, the encryption keys can be revoked, rending the date to a useless blog of zeroes and ones.” A top 10 list of such overwrite tools is available here.
Awareness: All employees must have the sensitivity of data and the costs of breaches and lawsuits at top-of-mind, and all should know when to use standard-issue encrypted media.
Risk Analysis/Risk Management: Rather than tracking all media through an inventory, conduct a risk analysis to identify high-risk devices with large amounts of PHI, as well as additional devices where the threat of theft or loss is higher than other devices.
Incident Response: Have an incident response playbook and use tabletop exercises to rehearse the ability to quickly respond to an incident. Update the playbook as needed to address any discovered shortcomings.
Monitor and Audit: Internal and external auditors should oversee the IT functions and validate control effectiveness. Use metrics that matter, such as increasing the reporting interval for media and be willing to hunt for missing devices as soon as they “go silent.” Follow environmental laws on disposing of electronic equipment.
Finally, here is a primer on sanitizing data on storage media, from tw-Security. Sanitation is the process of removing information from storage media, which can be done five different ways:
1. Using “delete” or “erase” commands to remove files.
2. Reformatting the media.
3. Copying a new image on the media (hard disk drives).
4. Overwriting the media several times with random patterns of 1s and 0s.
5. Degaussing for magnetic media. Degaussing a hard disk drive will make it nonfunctional.
Register or login for access to this item and much more
All Health Data Management content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access