Electronic Healthcare Data Erasure – Concerns for Secure Disposal Management

By Markku Willgren, Blancco

Editor’s Note: Laws that are specific to health care data and the health care industry in the U.S. impact the data erasure programs that are used during redeployment and disposal. This article provides information to the IT Asset Managers responsible for developing or using the data erasure programs within their organizations.

As the long-awaited shift from paper to electronic health records (EHRs) accelerates, information technology (IT) asset managers in the healthcare industry need foolproof processes for the disposal of electronic media. To thoroughly secure patient data, asset managers must have a plan for erasing personal health information (PHI) when it is no longer needed or when any electronic media – from PCs and servers to smartphones – are disposed. This plan should include the use of technology that can destroy all data on a wide variety of media that might contain EHRs and in the U.S. provide auditable proof of its removal for compliance with the Health Information Portability and Accountability Act (HIPAA).

The Health Information Technology for Economic and Clinical Health (HITECH) Act incentives take effect this year, meaning more healthcare providers will implement EHR systems. These systems generate vast amounts of data, posing a serious IT security challenge. To safely transition to EHR systems, asset managers need supporting software that can completely remove all data from electronic media and provide a detailed report of this erasure, as well as function easily on site. It should also be able to target specific temporal data on network end points to ensure patient data is not stored on media when it is no longer needed.

HIPAA and disposal of electronic media

The HIPAA Security Rule requires that compliant healthcare providers implement controls for media and devices which can range from PCs and servers to flash drives and other portable devices. Specifically, HIPAA requires:

“… policies and procedures that govern the receipt and removal of hardware and electronic media that contain protected health information [PHI] into and out of a facility, and the movement of these items within the facility.”

The Security Rule also addresses the final disposal of electronic PHI and the media that holds it, as well as removal of PHI before the equipment is internally redeployed, or disposed of for remarketing or recycling purposes. In addition to maintaining a record of where the hardware and electronic media is located, providers must track who is responsible for handling those movements.

Data erasure supports EHR security

The HITECH Act, which was part of 2009 stimulus bill, includes financial incentives for securing EHRs. On one hand, providers who meet “meaningful use” criteria for EHRs are rewarded with incentive payments. On the other, HITECH significantly increased fines for violating HIPAA for both providers and business associates. Also, breaches affecting 500 or more individuals must be reported to the government and the affected individuals within 60 days.

Health care providers must use a certified EHR system in order to qualify for HITECH’s EHR Incentive Program under the meaningful use rule. These EHR systems generate and exchange large amounts of data, so asset managers need a technology that can completely erase information when hardware used in the EHR process changes ownership for disposal, reassignment or recycling. To prove compliance with the HIPAA Security Rule, this technology should provide a detailed report of the media’s erasure status and who performed it.

Certified data erasure is a type of software that removes all data from PCs, servers and other electronic media by overwriting it with a pattern of 1’s and 0’s. Basic file deletion commands, for example, do not erase data and only remove direct pointers to data disk sectors. Data erasure is a secure alternative to disk wiping utilities, which often cannot access and erase all areas of a disk, yet it leaves hardware operable for potential reuse or resale, unlike physical destruction or degaussing.

Also, certified data erasure software automatically supplies a detailed report as proof of erasure for HIPAA compliance and other asset tracking purposes. Reports include lists of the disposed or erased items, their serial numbers, software licenses found on the disk, how the data was erased or the asset was destroyed, who performed the erasure, and the disposal procedure(s).

Because data erasure software does not rely on employees to log the process, providers are protected from human error and oversight. Also, the ability to produce such reports is a key advantage of certified data erasure software over other data removal methods that can protect providers from compliance litigation.

HIPAA does require encryption for various types of information and storage media, such as portable media. However, questions remain about how much of a medical practice’s local data that resides within its network (LAN) requires encryption under HIPAA rules, especially given the costs involved. For example, it would be prohibitively expensive for a provider to encrypt all information in terms of hardware, software and network speed. For complete security, asset managers must assume that all electronic media requires erasure before disposal or reuse, despite any assumed encryption status.

Certified data erasure software can supply report data to an IT asset management and tracking system for further security. By sending data erasure reports to an asset management system, or the person designated for this task if such a system is not in place, asset managers can track the retired systems they have sanitized.

When to erase EHRs

Asset managers must perform data erasure on site before media leaves the premises to avoid loss of data in transit to an off-site IT asset disposition (ITAD) service provider or a recycling facility. A case in point is South Shore Hospital in Massachusetts, who reported in July 2010 that two of three boxes containing computer tapes with personal, health and financial information of 800,000 individuals had been lost in transit to a destruction facility.

Healthcare providers must also avoid storing EHR data longer than is necessary by using continuous data housekeeping practices. To implement such practices, asset managers need a centrally managed tool like certified data erasure that automates data housekeeping for the entire practice, scaling from receptionist and physician desktops to network servers and mass storage devices. This tool should permanently destroy sensitive information with multiple overwrites of EHR files and other PHI, as well as the recycle bin and empty disk space, on a time- or event-driven basis, without impacting other data, the operating system or applications.

As an example, asset managers can set the criteria for automated secure deletion of PHI on all front office systems throughout the network at intervals determined by the provider. This secure deletion can also be triggered by an event, such as the transfer of PHI data to a LAN server from a physician’s desktop after a patient visit. Even if encrypted, data that is stored too long in any location becomes an added vulnerability. Permanently erasing data at appropriate intervals eliminates the need for the computationally demanding task of encryption and stops the proliferation of multiple EHR copies.

Supporting a secure chain-of-custody

The health care industry could receive as much as $27 billion in incentives over the next 10 years under HITECH. To implement an EHR process and support secure chain-of-custody practices, asset managers need a centralized data erasure tool that employs technology certified to remove 100% of data from all types of electronic media before reassignment or disposal, while providing auditable proof for compliance in a report. Without such software, a provider risk fines and jeopardizes the benefits from implementing an EHR system.

Certified data erasure software is flexible enough to execute either at the local desktop level or over a provider’s network to expedite data removal before a drive or other media leaves the premises or even a specific office. Also, its ability to target specific data through a network allows asset managers and IT administrators to remove redundant information and lighten the burden of encryption.