Most people are aware of the risks associated with computer systems, including servers, data storage systems, desktops and laptops. And the HIPAA Security Rule contains specifications and standards that help eliminate or mitigate those risks. What most people don't realize is that today's digital copiers, scanners, fax machines and multi-function printers (MFPs — which combine all these features into a single device) also represent a growing HIPAA risk.
It turns out that most copier and printer technology changed about 10 years ago, and instead of an image being captured electronically on a drum and then transferred to a paper electro-mechanically, today's printers and related devices are basically a digital scanner coupled with a print/output device. Whether you are copying, scanning or faxing, all images are scanned in and stored on an internal hard drive. The problem is, most people are not aware that when they get a new copy machine or MFP, thousands of images are still stored on the hard drive of the old machine.
The issue was highlighted in a recent CBS News article. In that investigative piece, a CBS news correspondent accompanied a copier industry security expert to a large copier warehouse in New Jersey. There they bought four used MFPs, selected supposedly at random, for just a few hundred dollars each. Within a few hours, and using software available free on the internet, he was able to literally crack open the hard drives and what he found was disturbing:
To add insult to injury, on the first copy machine they didn't even need to wait to get the data off the hard drive … there was a document still sitting on the copier's glass that should never have been there.
To our knowledge there have been no reported data/security breaches, HIPAA or otherwise, involving copiers or MFPs. However, this news story should make all healthcare entities such as ASCs take note, and increase their attention to all equipment that is sold, disposed of or donated. That includes not only copiers and printers, but computer workstations, servers, laptops and all portable media such as data CDs/DVDs and portable USB drives.
Merely "deleting" a file does not remove the data, it merely removes the entry in the drive's directory. This is much like removing a library book's card from the card catalog in an old fashioned library. The card's removal may make it so one cannot find the book, but the book is still there. Almost any semi-skilled IT amateur can use specialized (and free) software to easily reconstruct and retrieve the "deleted" data. You must use special software that deletes the actual data itself. Alternatively, you can actually shred the media to make it completely unusable.
Most copier companies do not seem to be aware of or capable of properly cleaning off the data from hard drives on old copier equipment. The same thing seems to be true for regular computer equipment, in that many old computer workstations and hard drives belonging to hospitals, insurance companies, medical practices and ASCs seem to end up out in circulation at a school, a non-profit or in someone's home, with personal medical information still intact.
You should always engage a certified technology expert, and specifically someone who is familiar with proper data destruction policies and procedures, take care of the disposal of all computer equipment. And now that includes printers, copiers and fax machines.
Marion K. Jenkins, PhD, is founder and CEO of QSE Technologies, which provides IT consulting and implementation services for ASCs and other medical facilities nationwide. Learn more about QSE Technologies at www.qsetech.com.
Read more ASC IT guidance from Marion Jenkins:
1. Portable Data Storage: Convenient but Risky
2. Massive Data Breach Offers Lessons for ASCs and Physicians
It turns out that most copier and printer technology changed about 10 years ago, and instead of an image being captured electronically on a drum and then transferred to a paper electro-mechanically, today's printers and related devices are basically a digital scanner coupled with a print/output device. Whether you are copying, scanning or faxing, all images are scanned in and stored on an internal hard drive. The problem is, most people are not aware that when they get a new copy machine or MFP, thousands of images are still stored on the hard drive of the old machine.
The issue was highlighted in a recent CBS News article. In that investigative piece, a CBS news correspondent accompanied a copier industry security expert to a large copier warehouse in New Jersey. There they bought four used MFPs, selected supposedly at random, for just a few hundred dollars each. Within a few hours, and using software available free on the internet, he was able to literally crack open the hard drives and what he found was disturbing:
- Case files and other info from the Buffalo, N.Y., Sex Crimes Division
- Targeted individuals from a major drug ring from the Buffalo, N.Y., Narcotics Division
- Design plans from a New York construction company for a building being constructed near Ground Zero, plus 95 pages of paystubs, which included names, addresses and social security numbers on $40,000 worth of copied checks
- Three hundred pages of individual medical records from a health plan in New York
To add insult to injury, on the first copy machine they didn't even need to wait to get the data off the hard drive … there was a document still sitting on the copier's glass that should never have been there.
To our knowledge there have been no reported data/security breaches, HIPAA or otherwise, involving copiers or MFPs. However, this news story should make all healthcare entities such as ASCs take note, and increase their attention to all equipment that is sold, disposed of or donated. That includes not only copiers and printers, but computer workstations, servers, laptops and all portable media such as data CDs/DVDs and portable USB drives.
Merely "deleting" a file does not remove the data, it merely removes the entry in the drive's directory. This is much like removing a library book's card from the card catalog in an old fashioned library. The card's removal may make it so one cannot find the book, but the book is still there. Almost any semi-skilled IT amateur can use specialized (and free) software to easily reconstruct and retrieve the "deleted" data. You must use special software that deletes the actual data itself. Alternatively, you can actually shred the media to make it completely unusable.
Most copier companies do not seem to be aware of or capable of properly cleaning off the data from hard drives on old copier equipment. The same thing seems to be true for regular computer equipment, in that many old computer workstations and hard drives belonging to hospitals, insurance companies, medical practices and ASCs seem to end up out in circulation at a school, a non-profit or in someone's home, with personal medical information still intact.
You should always engage a certified technology expert, and specifically someone who is familiar with proper data destruction policies and procedures, take care of the disposal of all computer equipment. And now that includes printers, copiers and fax machines.
Marion K. Jenkins, PhD, is founder and CEO of QSE Technologies, which provides IT consulting and implementation services for ASCs and other medical facilities nationwide. Learn more about QSE Technologies at www.qsetech.com.
Read more ASC IT guidance from Marion Jenkins:
1. Portable Data Storage: Convenient but Risky
2. Massive Data Breach Offers Lessons for ASCs and Physicians