A recent television news report about secondhand copy machines that contained patient medical records highlights a problem that all healthcare providers should consider, experts say.
Printers, copiers pose data-security threat
For the April report, a CBS News camera crew followed a security expert as he bought three discarded copiers—two from the Buffalo, N.Y., Police Department and one from Affinity Health Plan, a New York health insurer—from the warehouse of a New Jersey office-equipment reseller.
The used equipment provided the tech-savvy security expert and the news organization with the names of sex-crime victims and drug-raid targets as well as 300 pages of medical records, including prescription-drug data, blood-test results and a cancer diagnosis, according to the news report.
Nearly every digital copy machine built since 2002 has the equivalent of a computer hard drive, reported CBS reporter Armen Keteyian.
The security problem that the report illustrates is common to the healthcare industry, said Michael “Mac” McMillan, the CEO and co-founder of Austin, Texas-based healthcare information security firm CynergisTek. McMillan said used copy machines aren't the only security threat that inadvertently and all too often are rolled or carried out the doors of healthcare organizations.
“Printers are no different,” McMillan said. “They get the data from a computer and display it for the printer or fax to print it or do whatever it wants to do. And what do you suppose happens at a small doc's office when he gets a new one? Out in the Dumpster.”
Tracking down Affinity's leased and returned copying machines hasn't been easy and is “still a work in progress," said Abbe Abboa-Offei, senior vice president of customer and community connections for the health plan. Abboa-Offei said the hunt has focused on copiers leased between 2005 and 2009. She said she did not have the number of machines involved immediately available.
“From what we've learned, the process is pretty much the same everywhere,” Abboa-Offei said. “Once an organization releases the copiers, the leasing company is free to sell them on the wholesale market to anyone who wants to buy them, including CBS. They can sell them in this country. They could sell them internationally. ”
Abboa-Offei said Affinity has had “very strict data security policies" pertaining to all paper-based and electronic information. Computers, flash drives, fax machines, scanners and even cellphones are routinely scrubbed by an outside contractor, Abboa-Offei said. Now, she said, they've added leased copiers to the to-be-scrubbed list.
A lack of awareness on Affinity's behalf is part of the reason why the insurer missed the fact that its copying machines had storage devices, Abboa-Offei said. “But there has to be some responsibility on the part of the manufacturer to create that awareness,” she said. “There really needs to be some accountability on the part of manufacturers educating their customers on this use.”
One good thing to come out of the episode, Abboa-Offei said, is that Affinity has a renewed and heightened sensitivity to data security. The insurer has undertaken a thorough review of all security policies, she said.
Although awareness of the security risks posed by electronic devices is half the battle, said CynergisTek's McMillan, healthcare organizations also have to set in place and follow procedures to deal with all data-laden equipment.
“Just about every technical device today that one way or another manages some type of data generally has a computer associated with it,” McMillan said. “If it's IT, it needs to be part of your disposal plan.”
Organizations have a few options for removing or destroying data stored on electronic devices, McMillan said. One procedure, degaussing, involves using a powerful magnet to remove data from a drive or storage device. Alternatively, he said, “There are software tools that write over the data so many times it can't be read easily, or you take that drive out and destroy it.”
McMillan added that security risks exist for healthcare organizations of all sizes.
“The smallest rural hospitals usually don't have an IT staff,” McMillan said. “They outsource their IT. Mom and pop comes in and services their computers. A lot of time they don't know and understand a lot of this, and the people who are running the facility, they're clinicians, and they don't know. So, you have a combination of a lack of IT knowledge and a lack of appreciation [that] this device has a computer in it.”
In larger, more-sophisticated organizations, decentralization of IT management and oversight can create security gaps, McMillan said. And the existence of an IT-disposal policy doesn't mean that all employees will know, understand and always abide by its provisions.
“Hospitals that have good processes around how IT is disposed of … tend not to have these problems,” McMillan said.
Send us a letter
Have an opinion about this story? Click here to submit a Letter to the Editor, and we may publish it in print.