Secure it asset disposition: achieving valuable outcomes for healthcare

The risks of not having an IT asset disposition solution are substantial.Here’s how healthcare organizations can dispose of end-of-life IT assetsand media successfully to protect patient and sensitive informationwhile achieving security, compliance, and environmental goals.

THE HEALTHCARE SECTOR SUFFERS THE MOST DATA BREACHESamong all industries. In 2021, according to theHIPAA Journal, 712 healthcare data breaches were reportedbetween January 1 and December 31, 2021, setting a newrecord for healthcare data breaches. In fact, this was a 10.9%increase from 2020 — and demonstrates why data security isthe top concern among IT leaders in the healthcare industry. Inaddition, they’re grappling with a wide range of regulations thataffect IT asset decisions, especially around the disposal of retiredor obsolete equipment.

With the right IT asset disposition program, however, healthcareorganizations can:

• Improve data security and privacy, while complying with new and changing global regulatory requirements
• Lower total cost of ownership (TCO) through remarketing
• Minimize impact on the environment

THE STAKES ARE HIGH

Data breaches are an ongoing concern for all organizations. Yet, ashospitals and medical facilities increasingly collect digital data, thestakes are rising. Hospitals are already using an average of10 to 15connected medical devices per bed. As the proliferation of thesedevices expands, the risk of breaches also escalates.

One MRI machine may contain thousands of patients’ images; one humanresource employee’s laptop could contain sensitive patient, employee,and organizational data. If these devices are not properly handled at theend of their lifecycle and fall into the wrong hands, the organizationcould suffer data theft, damage to reputation, and/or face regulatorypenalties or fines.

Healthcare IT leaders are keenly aware of the challenges surroundingIT asset disposition (ITAD). In a recent IDG survey, they listed their topthree obstacles as:

• Data security
• Chain-of-custody security risks
• Proper environmental recycling

In addition, IT leaders within healthcare say they’re aware of the multitudeof regulations affecting ITAD, such as the Health Insurance Portabilityand Accountability Act (HIPAA) as well as EPA and FDA regulations.

There’s a disconnect, however, between recognizing the challenges,risks, and regulations and taking actions to avoid data security problemsupon IT asset disposition. For example, the IDG survey revealed that:

• 58% of healthcare organizations do not have a formal ITAD policy in place
• 47% handle equipment disposal entirely in house
• 29% dispose of old equipment in the trash

“Unfortunately, healthcare organizations are susceptible to a varietyof security risks,” says Brooks Hoffman, a member of the Securee-Waste and IT Asset Disposition team at Iron Mountain.

For example, the industry is undergoing significant merger and acquisitionactivity, which makes IT asset disposition more complicated.In addition, more small clinics, urgent care centers, and facilitieshave mobile employees, making it harder to control all the differentdata-bearing devices.

These situations make having an ITAD policy in place all the more important.The good news is that the solution isn’t complex or burdensome.

SECURE IT ASSET DISPOSITION:THE BENEFITS OF COMPREHENSIVE COVERAGE

A properly designed secure IT asset disposition (SITAD) programmeets all of an organization’s goals. Asked what they’d most like tosee in such a program, IT leaders in the healthcare industry said:

• Meet HIPAA requirements and data privacy regulations
• Ensure the security of sensitive data
• Provide a consistent, reliable, secure chain of custody
• Reduce the burden on internal resources
• Comply with environmental regulations

A comprehensive SITAD program does all that and goes further. Forexample, Iron Mountain’s solution gets healthcare organizations startedwith a framework for ITAD policy creation. This template includesprocedures for asset tracking, data security standards, data destructionguidelines, and regulation compliance — specific to industry needs.

The right SITAD solution also instills confidence in a secure chainof custody when IT assets are disposed. For example, some ITADcompanies use third-party services to haul away old equipment.

Those vendors sometimes subcontract the logistics or truckingaspects, which puts the chain of custody into question. Consider therisks if the hauling company driver doesn’t lock his vehicle while yourIT assets are inside.

Healthcare organizations should work with ITAD vendors who arecertified by independent, standards-setting bodies such as e-Stewards^®. This ensures that there’s no cutting of corners in regulationsand standards compliance.

ITAD vendors also can help address environmental and social responsibilitygoals by diverting IT assets from landfills and other wastestreams. There is a lot of complexity in this area, because each U.S.state and municipality may have specific requirements in addition tofederal regulations for electronic waste.

Finally, because healthcare organizations are under constantpressure from a cost standpoint, they should consider remarketingend-of-life IT assets. With help from the right ITAD partner, facilitiesand hospitals can retire old equipment and gain maximum resalevalue, which will lower TCO.

THE BOTTOM LINE

Healthcare organizations have a great deal of sensitive data at stake,particularly if they don’t have a secure IT asset disposition program.Getting ITAD right, organization-wide, is crucial.

“If 75% of the organization does ITAD the right way, it means that 25%is doing things the wrong way. That’s a problem,” Hoffman says.

Iron Mountain’s Secure IT Asset Disposition solution helpsorganizations ensure that IT assets are destroyed, recycled, or repurposedproperly for maximum value. Find out more:www.ironmountain.com/sitad