Disposal of e-waste, including personal computers, hard drives, back-up tapes and CDs, has become a growing problem for the healthcare industry — both because of information privacy legislation protecting patient data, and an increasing concern for the environment.
PCs contain significant amounts of lead, cadmium and mercury vapor. If sent to a landfill, decomposing equipment can leak harmful chemicals into the ground or water supply. Industry analysts estimate that roughly 1 billion computers will become potential for scrap, or be retired from productive use between now and 2010, says Linda Demmler, world-wide director of Global Asset Recovery Services, IBM, Armonk, N.Y. "There's probably about 150 million already stock piling in warehouses, store rooms and closets."Not only do healthcare organization executives want to protect patient data so it doesn't become part of the public domain, they also want to protect intellectual capital and intellectual property trade secrets, explains Demmler.
Ensuring data security is the primary driver behind asset disposal policies, says David Daoud, senior analyst, IDC, providers of market intelligence and advisory services (Framingham, Mass.). Reducing the organization's environmental footprint is secondary, and the third driver is minimizing the cost and hassle. "Healthcare institutions are finding equipment is easy to acquire, but it's really hard to retire," he says.
The first step in PC disposal or resale is to overwrite the data. This can be done any number of times. The Department of Defense standard number for overwriting data is seven times, but according to Demmler, for NASA-type practices, a 17 times overwrite is required. Currently, there is no standard for healthcare organizations, but Demmler says most are going with seven.
Data overwriting works by running a program on the PC that writes a random sequence of ones and zeroes over the hard-drive. "If you overwrite it once, it's like putting post-it notes at random on a bulletin board," Demmler says. "If you pin them up quickly, you may not cover the bulletin board, but eventually it'll be virtually irretrievable."
However, as Daoud points out, some data that at first appears to be lost forever, may be recoverable. "Obviously if your hard-drive is taken by the NSA, then these guys certainly have the capability to resurrect anything, but what's the likelihood of that happening?" Increasingly, healthcare organizations are faced with a stockpile of expired equipment, and are looking to vendors to perform their disposal services, Daoud says. Institutions are more likely to employ specialty companies to tackle the disposal problem, rather than utilizing in-house resources.
Most hospitals don't have the resources or facilities to let PCs run for an extended amount of time — often required to overwrite all the data. Sometimes these programs fail midstream and need to be restarted. "Theoretically, it's not something a hospital couldn't do, but in an environment where productivity is key, and energizing hospital teams to be focused on core competencies is key, this probably isn't an area in which they are robust in expertise," he says.
Demmler says the three most important questions that a healthcare institution needs to ask before selecting a vendor are: Is asset disposal the vendor's primary business objective? Does this vendor have financial stability? And, is there a robust focus on protecting your data?
Daod says organizations need to ensure vendors have the necessary requirements for internally tracking assets. "An auditing trail should tell you exactly where your equipment has gone. Has it gone to a prison to be dismantled? I've actually heard of this happening," he says. It should also tell you if the data has been completely wiped, and whether it has been refurbished and sold into the market, or physically destroyed.
To Demmler, it's often beneficial find a vendor that has received ISO 14001 certification from the Geneva-based International Standards Organization for proper environmental management. However, she says, ISO certification is not enough. "It doesn't say, 'We certify that this company has gone through a rigorous testing process to ensure they follow the correct methods of disposal,â€™â€ she says. "It's up to each organization to find a company with proven capabilities."
Demmler says that having a certification process for vendors would make it easier for providers to make smarter choices about their asset disposal services, but that it isn't happening anytime soon. "There is such complexity over the legislative landscape, with new regulations emerging almost daily, it'd be hard to maintain a valid certification," she says. "A vendor might be certified one year, but not the next."
Many healthcare executives are worried that if their data leaks into the environment, they could be sued. "It's hard for a company to give a 100 percent guarantee that data is irrevocably destroyed," Daoud says. "But I think it becomes the responsibility of the customer to push their vendor into providing better guarantees." According to Daoud, some companies go the extra mile and give customers an insurance liability policy, setting aside $20 million in case of a lawsuit. "However, most large companies would rather not give the policy or guarantee, so they're not liable if something goes wrong," he says.