Inefficient data removal can be costly for healthcare data centers
A survey of 600 data center experts across North America, Europe, and Asia-Pacific conducted by Coleman Parkes for Blancco Technology Group found that inefficient data removal and data sanitation processes are costing some organizations hundreds of thousands of dollars annually.
The data experts surveyed came from 600 organizations covering six vertical markets: healthcare, public sector, pharmaceutical, financial services, retail, and telecommunications.
In the healthcare sector specifically, HIPAA does not include specific medical record retention requirements, but state law will dictate how long medical records must be kept and when to destroy them. HIPAA does require that covered entities (CE) apply appropriate administrative, technical, and physical safeguards to protect the privacy of medical records for whatever period such information is maintained by the CE, including through disposal (45 CFR 164.530(c)). HIPAA also requires CEs and any business associates that handle protected health information (PHI), including healthcare data centers, to take security measures when upgrading to new hardware, discarding old hardware, or destroying old patient records.
HHS has stated that depending on the circumstances, appropriate methods for removing electronic PHI (ePHI) from electronic media prior to reuse or disposal may be by clearing or purging ePHI from the media. But if the entity does not plan on using the device again in the future, HIPAA suggests completely destroying it, using tactics like disintegrating, pulverizing, melting, incinerating, or shredding.
In data centers, this does not always happen. The survey found that two out of every five organizations that store data in-house spend more than $100,000 a year on storing old, unused hardware that could pose a security risk, in either noncompliance or onsite storage fees.
More than half of U.S. respondents to the survey reported that that their organizations have been cited at least once by a regulatory body for failure to comply with state, federal, or international data protection laws in the last 24 months.