Disposal of e-waste, including personal computers, hard drives, back-up tapes and CDs, has become a growing problem for the healthcare industry — both because of information privacy legislation protecting patient data, and an increasing concern for the environment.
PCs contain significant amounts of lead, cadmium and mercury vapor. If sent to a landfill, decomposing equipment can leak harmful chemicals into the ground or water supply. Industry analysts estimate that roughly 1 billion computers will become potential for scrap, or be retired from productive use between now and 2010, says Linda Demmler, world-wide director of Global Asset Recovery Services, IBM, Armonk, N.Y. "There's probably about 150 million already stock piling in warehouses, store rooms and closets."Not only do healthcare organization executives want to protect patient data so it doesn't become part of the public domain, they also want to protect intellectual capital and intellectual property trade secrets, explains Demmler.
Ensuring data security is the primary driver behind asset disposal policies, says David Daoud, senior analyst, IDC, providers of market intelligence and advisory services (Framingham, Mass.). Reducing the organization's environmental footprint is secondary, and the third driver is minimizing the cost and hassle. "Healthcare institutions are finding equipment is easy to acquire, but it's really hard to retire," he says.
The first step in PC disposal or resale is to overwrite the data. This can be done any number of times. The Department of Defense standard number for overwriting data is seven times, but according to Demmler, for NASA-type practices, a 17 times overwrite is required. Currently, there is no standard for healthcare organizations, but Demmler says most are going with seven.
Data overwriting works by running a program on the PC that writes a random sequence of ones and zeroes over the hard-drive. "If you overwrite it once, it's like putting post-it notes at random on a bulletin board," Demmler says. "If you pin them up quickly, you may not cover the bulletin board, but eventually it'll be virtually irretrievable."
However, as Daoud points out, some data that at first appears to be lost forever, may be recoverable. "Obviously if your hard-drive is taken by the NSA, then these guys certainly have the capability to resurrect anything, but what's the likelihood of that happening?" Increasingly, healthcare organizations are faced with a stockpile of expired equipment, and are looking to vendors to perform their disposal services, Daoud says. Institutions are more likely to employ specialty companies to tackle the disposal problem, rather than utilizing in-house resources.
Most hospitals don't have the resources or facilities to let PCs run for an extended amount of time — often required to overwrite all the data. Sometimes these programs fail midstream and need to be restarted. "Theoretically, it's not something a hospital couldn't do, but in an environment where productivity is key, and energizing hospital teams to be focused on core competencies is key, this probably isn't an area in which they are robust in expertise," he says.
Demmler says the three most important questions that a healthcare institution needs to ask before selecting a vendor are: Is asset disposal the vendor's primary business objective? Does this vendor have financial stability? And, is there a robust focus on protecting your data?
Daod says organizations need to ensure vendors have the necessary requirements for internally tracking assets. "An auditing trail should tell you exactly where your equipment has gone. Has it gone to a prison to be dismantled? I've actually heard of this happening," he says. It should also tell you if the data has been completely wiped, and whether it has been refurbished and sold into the market, or physically destroyed.
To Demmler, it's often beneficial find a vendor that has received ISO 14001 certification from the Geneva-based International Standards Organization for proper environmental management. However, she says, ISO certification is not enough. "It doesn't say, 'We certify that this company has gone through a rigorous testing process to ensure they follow the correct methods of disposal,â€™â€ she says. "It's up to each organization to find a company with proven capabilities."
Demmler says that having a certification process for vendors would make it easier for providers to make smarter choices about their asset disposal services, but that it isn't happening anytime soon. "There is such complexity over the legislative landscape, with new regulations emerging almost daily, it'd be hard to maintain a valid certification," she says. "A vendor might be certified one year, but not the next."
Many healthcare executives are worried that if their data leaks into the environment, they could be sued. "It's hard for a company to give a 100 percent guarantee that data is irrevocably destroyed," Daoud says. "But I think it becomes the responsibility of the customer to push their vendor into providing better guarantees." According to Daoud, some companies go the extra mile and give customers an insurance liability policy, setting aside $20 million in case of a lawsuit. "However, most large companies would rather not give the policy or guarantee, so they're not liable if something goes wrong," he says.
In order to minimize responsibility and alleviate costs, some hospitals executives make the decision to lease their computer equipment rather than buy it outright.
"In my opinion, leasing our equipment streamlines the process of disposal. Firstly, it mitigates the risk for data leaking out into the environment, and secondly it minimizes the cost involved in getting rid of our expired equipment," says Charles Christian, CIO of 232-bed Good Samaritan Hospital in Vincennes, Ind.
These days an organization has to factor in the cost of disposal when calculating the total cost of ownership of equipment. "Our strategy is making it someone else's problem, that's the short and blunt way of putting it," Christian says. However, he adds, "Maybe the problem isn't entirely alleviated. We still have to audit the company to make sure they're adequately wiping the hard drive." In addition, he says Good Samaritan has a policy that ensures all data is wiped on hospital premises, in a secure environment. As far as taking the equipment off hospital premises and ensuring that it's disposed of in an environmentally appropriate manner, Christian says that this is entirely the vendor's responsibility.
For Mercy Health Services, a 230-bed hospital in Baltimore, instead of leasing equipment or re-selling expired devices, the organization has opted for total destruction.
"A year ago, our hospital created a committee called the 'Greening of Mercy,' charged with disposing everything from paper to computers in an environmentally friendly manner," says Jim Mancini, senior manager of IT for Mercy Health Services. Mercy felt that destroying its expired equipment was a good solution because it was the only method that ensured the equipment wasn't re-sold and "dumped" in a foreign landfill, he says.
Mancini says destroying equipment meant protected health information was less likely to end up in the wrong hands. "We wanted to keep the chain of custody to a minimum, both for security and environmental reasons." Mancini says he chose E-Structor, Ellicott City, Md., after a site visit. "There were cameras and check points at every station up until the actual shredding of the equipment," he explains. According to Mancini, the vendor conducts a recycling and destruction process that is compliant with the DOD and NSA. Essentially, what the company does is put the equipment through a giant shredder. Shredded materials are passed through a conveyor belt where ferrous and non-ferrous materials are separated. "Everything is brought back to raw materials." Computers are notesold as functioning machines, so there's no need to "waste the time or the money on wiping data."
Mancini's executives are considering reselling the used equipment, but aren't 100 percent behind the idea. "I'm convinced that the data can be adequately removed, but what I can't figure out is how to know exactly where that equipment goes," he says. "What if the organization that they resell it to doesn't dispose of it properly?"