Category Archives: Risk Mitigation

How Maxxum Helps Educational Institutions

May 5, 2017

How Maxxum Helps Educational Institutions

With the 2016-17 school year winding down, many schools are now considering IT equipment refreshes for next year and beyond. As part of their planning effort, schools will be assessing the remarketing or residual value of their current equipment to determine the viability of leasing or purchasing new equipment.

As trusted advisors to schools, colleges, universities and corporations, Maxxum helps these institutions assess the value and best disposition path for their IT assets. Maxxum’s remarketing programs are an effective way to mitigate data security risk, liquidate equipment, and actually gain a return before equipment becomes a liability due to obsolescence, disposal or recycling costs. We purchase all leading brands and types of IT equipment including tablets, laptops, desktops, networking gear, etc.

Maxxum has an easy process and makes it as simple as possible for school districts and institutions. Maxxum provides a full range of services to support any individual requirements. Our MaxxumSafe web portal makes asset tracking and record keeping transparent and simple. Maxxum also sells schools new and used equipment.

Throughout Maxxum’s history, and through our recent acquisition of Trace TM, we have worked with many clients in the education sector, providing data sanitization and remarketing services. Maxxum’s clientele has spanned the Twin Cities metro area, including public school systems in Edina, Fridley, Monticello and Owatonna, and Bethel College, Augsburg College, College of St. Scholastica and Capella University.

One of the advantages of working with Maxxum is that we are local. With two facilities in the Twin Cities, we’re able to get to know and meet with our school partners and prospects to understand their needs and requirements. Questions we ask our education partners include:

  • How do they value their equipment?
  • Why are they turning over their current equipment?
  • What are the financial considerations?
  • What is the greater purpose of remarketing the equipment?
  • What are their expectations for disposition?
  • What does the timing look like for their equipment refreshes?
  • Have they explored secure and compliant data destruction?

The more information Maxxum has the more resourceful and better advisor we can be. Maxxum wishes all education institutions a great last few weeks of the current school year and congratulates you on another successful year. Maxxum encourages you to reach out to us if you have any questions at all about your IT equipment.

Maxxum Helps Mitigate Risk When Disposing Medical Equipment

March 27, 2017

Blog Picture - Dispose Medical Equipment

How Maxxum Helps You Mitigate Risk When Disposing Medical Equipment

“The dirty little secret is that most (medical) manufacturers did not anticipate the cybersecurity risks when they were designing them a decade ago, so this is just scratching the surface really.”

That statement is a sobering reality for the medical profession. It’s from a CNBC interview with Kevin Fu, who directs the University of Michigan’s Archimedes Center for Medical Device Security. “There is no [impervious] device; pretty much every device that has a computer in it is breakable,” Fu told CNBC’s “On the Money.”

In this day and age almost all medical devices contain some type of information that is susceptible to thieves, not only when they’re active, but even after the devices are taken off-network. The truth is, data lingers even when equipment is done being used and a hospital or doctor’s office thinks they’ve removed all of the information.

So how can Maxxum help mitigate risk in the medical device industry? Here’s a great example of a recent success story: Maxxum was provided with a pocket-sized, battery-operated device for measuring lung volume (a spirometer). It was thought to be “clean” but Maxxum’s forensic process uncovered 2,200 unique patient records that included patient name, birthdate, sex, test dates, test results and more.

The success of your business is contingent on the integrity of your intellectual property. Maxxum has extensive experience removing all traces of information from technology assets before they go downstream. We protect your sensitive information and ensure compliance with all regulatory requirements, indemnifying you from liability.

Maxxum works with a variety of companies to ensure that their medical devices have had all traces of information and data removed before downstream destruction of equipment is completed.

Maxxum is your partner in risk mitigation. We’re with you through the entire lifecycle of your computers, electronics and all technology, providing valuable support and guidance during acquisition, disposal, and during any custody change.

Learn more on how Maxxum can help you alleviate that risk.

4 Questions to Ask Your Technology Disposal Company

November 3, 2015

technology disposal company

When you’re ready to dispose of your old technology assets, do so with the support and guidance of people whose job it is to stay on top of the ever-evolving regulatory and security requirements: a certified compliant and dependable technology disposal company.

4 Things You Need to Know About Your Technology Disposal Company

We’ve outlined a few questions to ask your technology disposal company:

1. Are they certified for data destruction and environmental compliance?

With so many stories about data breaches and information leaks dominating the news over the last few years, most organizations are a little spooked about how they’re disposing of their used technology assets.

You may be vulnerable to legal ramifications if you don’t dispose of your data and drive assets properly. If your sensitive data leaks, you’ll have to answer to the law and your customers. Financial penalties can be quite harsh, and a tarnished reputation can have long-term ramifications.

Environmental compliance laws have become far more strict over the last decade, and getting hit with environmental penalties is a bad “look” for any organization. Now more than ever, it’s important to vet a technology asset disposal company to ensure they have industry certifications for both security and environmental compliance.

2. Do they understand the resale market?

Your technology asset disposal company should know the resale market inside and out in order for your organization to get the best return on the equipment it’s retiring.

PCs, laptops, and servers that are less than three to four years old retain value, even if they’re no longer of use to your company. If you’re ready to dispose of your technology assets, why not recover that value? Remarketing your technology assets is an opportunity to recoup some of the initial investment or cover some or all of the disposal costs.

Your technology asset disposal company should understand price trends on the resale market and help your organization plan ahead and determine when your assets will turn from revenue generators to cost creators. They should help you plan to refresh your technology cycles to ensure that you get the optimum value on your old equipment.

3. How do they document data destruction and disposal?

Find out from any potential provider how they document their full process. There are too many factors along the way during the disposal process that could find your organization liable for mistakes made by your provider.

Disposing of data can have security, financial, and software asset management implications. Proper documentation can shield your company from financial and legal penalties. You should be provided with a Certificate of Data Destruction and a detailed inventory report, as well as a report to show the environmental impact that your responsible recycling is having.

4. Can they serve all of your locations?

Technology asset disposal can be a pretty complicated matter. From drive sanitization to environmental compliance, there are numerous reasons to rely on a proven and trusted technology disposal company.

Don’t forget to ask about logistics. Your vendor has to have experience that allows them to serve all of your sites and the logistical capability to properly handle all of your assets.

If you have multiple locations, make sure you hire a disposal company that can handle your work load and that understands the different regulations that might be in play in each of your locations.

 

5 Best Practices for Technology Asset Disposal

October 1, 2015

asset disposal

If you’re a little wary about the best way to manage technology asset disposal these days, you’re not alone. While security breaches have been featured in some of the biggest headlines over the last few years, the number of companies that have been hit with criminal and civil penalties, as well as executive fines and even incarceration, is alarming.

As technology continues to advance at a high rate, organizations are now experiencing a more involved process when disposing of their technology equipment. Moreover, smart organizations are finding qualified, trusted, Technology Asset Disposal companies to manage this complicated process.

Technology Asset Disposal – the Right Way

Here are five best practices any Technology Asset Disposal company should provide for their clients:

1. Data Destruction

You might be finished with your storage drive, but that doesn’t mean that the data is gone. You may be vulnerable to legal ramifications if you don’t dispose of your data and drive assets properly. If you’re sensitive data leaks, you’ll have to answer to the law and your customers. Demand certified drive sanitation or destruction.

2. Equipment Remarketing

Technology assets (such as PCs, laptops, and servers) that are less than three to four years old have resale value. A disposal company should work to recoup that value on your behalf through a variety of remarketing channels. Re-selling, selling to employees or donating to schools or foundations are all ways to get value back from your old technology.

3. Equipment Recycling

A Certificate of Electronic Equipment Destruction (CEED) should be provided for all recycled technology assets. Having documentation that demonstrates or certifies that your company took the proper steps can save you from penalties down the line.

4. Compliance Reporting

Detailed documentation makes it easy to prove compliance with all laws and regulations. With so many government agencies tasked with oversights (HIPPA, PCI, SOX, FCC, FDA, etc.), an asset disposal company needs to provide a detailed audit trail to prove compliance.

5. Policy and Program Development

If your company is not sure how to start developing a compliant technology asset disposal program, you are not alone. A strong and reliable technology asset disposal company should be your guide through the process.

6 Reasons to Properly Dispose of Technology

September 23, 2015

dispose of technology

We’ve said this before, and we’ll keep saying it: just because used technology gets unplugged and leaves your building, that doesn’t mean the data on it dies. While ensuring that your data doesn’t end up in the wrong hands is reason enough to make sure you dispose of technology properly, it’s far from the only reason.

Look around your office. If it’s like most, it probably looks a lot different than it did five years ago. Computers, phones, copiers and just about everything else associated with office work has changed dramatically. And, they’re going to keep changing.

Technology is advancing faster than just about anybody can manage. With everyone constantly upgrading to the latest, “next best thing,” it begs the question, “what’s happening to all of the old stuff?”

There are Several Good Reasons to Dispose of Technology

Here are six reasons to do so, and all of them can affect your company’s bottom line and reputation.

  1. Criminal Penalties

As the world around us continues to demand faster and more complete access to information (better technology), there is now a more robust policing of used technology disposal.

Depending on your industry, the laws that govern how you dispose of technology can fall under one or more of the following: HIPPA (healthcare), EPA (environmental), FDA (pharmaceuticals and medical devices), FCC (broadcast and phone providers), PCI regulations (credit card data), Sarbanes-Oxley (financial services), Gramm-Leach-Bliley (banking) , PII (personally identifiable information) and FACTA (credit reports).

The repercussions of criminal penalties go without saying and can impact each of the remaining reasons we list.

  1. Executive Fines and Incarceration

With information being such a high value commodity in this technological age, punishments are now catching up to the heft of the crime. Companies are now tasked with responsibly disposing of their used technology. Cavalier behavior with information can now lead to huge fines and even jail time depending on the case.

  1. Civil Penalties

Civil penalties are fines imposed by government agencies as restitution for wrongdoing. Check any business page or television news broadcast and it won’t take you long to realize that both State and Federal agencies are recognizing the growing exposure related to information security. Fines can add up quickly and not only damage your company’s bottom line, but your reputation as well. 

  1. Litigation Costs

One of the misconceptions with technology disposal is that all liability for data is transferred once technology exits. Too often that’s not the reality, and it’s the reason many companies are blindsided by cases even when they believed that things had been done correctly. Nobody wants litigation because that can get expensive very quickly.

  1. Diminished Stock Prices

Perception is almost as powerful as reality when it comes to the value of stocks. Any of the above can lead to a negative perception of your company, whether it’s founded or not. If the perception of your company is diminished, your company’s stock will be as well.

  1. Public Relations Fallout

The old adage that any publicity is good publicity doesn’t hold true here. Your company’s reputation is damaged if any of the above events occur. As technology becomes increasingly integrated into our daily business and private lives, data security is more important than it’s ever been. Understand your responsibility and ensure that old technology is disposed of properly. Your reputation depends on it.

Refreshing Your Tech? Know Your Risk

September 15, 2015

Risk Calculator

Is your company refreshing its technology assets? In this day and age of data theft, it’s important for you and your company to know that your data doesn’t die simply because it’s unplugged and leaves the building. Cyber-attacks and data breach stories are grabbing too many headlines lately, and if you’re not worried about how you’re disposing of your used technology assets – you should be.

Pop culture has grabbed on and glorified cyber hacking and stolen data with television shows like CSI: Cyber and this summer’s smash cable hit, Mr. Robot.

Data thieves are the modern-day pickpockets, but they don’t need to get close to you. They can steal your information from a laptop in their living room, or by harvesting data you thought was erased by purchasing computers once used by your business.

So we’ll ask again, is your company refreshing its technology assets? Maxxum is here to help. Fill out our quick risk-assessment form that’s designed to help you understand your organization’s potential risk as it relates to technology disposal and asset disposal.

When completed, you will be provided with a score and a recommendation. Maxxum is in the business of maintaining privacy and protecting your information. You can be certain that information collected for this risk assessment will remain confidential and will not be shared with anyone outside our company.

Be Social | #ChooseMaxxum

Maxxum Facebook   Maxxum LinkedInMaxxum Google+  Maxxum Twitter

Unencrypted Devices Still a Breach Headache

May 13, 2015

The Ongoing Risk Posed by Lost, Stolen Mobile Devices

By , May 12, 2015.

Unencrypted Devices Still a Breach Headache

While hacker attacks are grabbing most of the health data breach headlines so far in 2015, a far more ordinary culprit – the loss or theft of unencrypted computing devices – is still putting patient data at risk.

See Also: PHI Security: The Role of Encryption and Tokenization

Incidents involving unencrypted laptops, storage media and other computing devices are still popping up on the Department of Health and Human Services’ “wall of shame,” which lists health data breaches affecting 500 or more individuals. Among the largest of the most recent incidents is a breach at the Indiana State Medical Association.

That breach involved the theft of a laptop computer and two hard drives from a car parked for 2-1/2 hours in an Indianapolis lot, according to local news website, The Star Press. Information on more than 38,000 individuals, including ISMA employees, as well as physicians, their families and staff, was contained in the ISMA group health and life insurance databases on those devices.

The incident occurred on Feb. 3 while ISMA’s IT administrator was transporting the hard drives to an offsite storage location as part of ISMA’s disaster recovery plan, according to The Star Press. An ISMA spokeswoman declined Information Security Media Group’s request to comment on the breach, citing that there are “ongoing civil and criminal investigations under way.”

A breach notification letter sent by ISMA indicates that compromised data included name, address, date of birth, health plan number, and in some cases, Social Security number, medical information and email address. ISMA is offering those affected one year’s worth of free credit monitoring.

Common Culprit

As of Feb. 27, 51 percent of major health data breaches occurring since 2009 involved a theft while 9 percent involved a loss, according to data presented by an Office for Civil Rights official during a session at the recent HIMSS 2015 Conference in Chicago. Of all major breaches, laptop devices were involved in 21 percent of the incidents, portable electronic devices in 11 percent and desktop computers in 12 percent, according to the OCR data.

Two of the five largest breaches to date on the Wall of Shame involved stolen unencrypted computing devices:

  • A 2011 breach involving the theft of unencrypted backup computer tapes containing information on about 4.9 million individuals from the car of a Science Applications International Corp. employee who was transporting them between federal facilities on behalf of military health program TRICARE.
  • The 2013 theft of four unencrypted desktop computers from an office of Advocate Health and Hospital Corp. in Chicago, which exposed information on about 4 million patients.

Many smaller breaches affecting less than 500 individuals also involve unencrypted computing devices, according to OCR.

Safe Harbor

The thefts and losses of encrypted computing devices are not reportable breaches under HIPAA. That’s why security experts express frustration that the loss and theft of unencypted devices remains a common breach cause.

“It is unfortunate that [encryption] is considered an ‘addressable’ requirement under HIPAA, as many people don’t realize that this does not mean optional,” says Dan Berger, CEO of security risk assessment firm Redspin, which was recently acquired by Auxilio Inc.

Under HIPAA, after a risk assessment, if an entity has determined that encryption is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of e-PHI, it must implement the technology. However, if the entity decides that encryption is not reasonable and appropriate, the organization must document that determination and implement an equivalent alternative measure, according to HHS.

Attorney David Holtzman, vice president of compliance at the security consulting firm CynergisTek, says he’s expecting to see soon an OCR resolution agreement with a healthcare provider that suffered several breach incidents caused by their failure to manage the mobile devices used by their employees on which electronic protected health information was stored or accessed.

Read full article…

It’s Time to Re-Examine Risk Management

March 30, 2015

Attacks Against Anthem, Others Are a Call to Action

By Bob Chaput, March 27, 2015

Bob Chaput

Just as 9/11 shattered our assumptions about the impregnability of U.S. defense systems, the recent Anthem Inc., Premera Blue Cross and Community Health Systems mega-breaches show that we need a top-to-bottom re-examination of what information risk management really requires.

To be fair, most healthcare boards of directors and C-suite executives have had their hands full just dealing with the Affordable Care Act and the momentous shift from the fee-for-service model to value-based care. That may be the reason why so many healthcare boards and C-suites are either ill-informed or disengaged from information risk management.

“We must move from the technical/tactical/spot-welding approach to a business architectural solution that’s strategic.”

In the wake of the highly publicized Community Health Systems, Anthem and now Premera hacking incidents, most organizations are scrambling to play catch-up – often trying to “checklist” their way to security. By default, and in the absence of board and C-suite direction, this approach is often too technical, too tactical and involves too much spot-welding.

Here are some reasons why it’s not a matter of if, but when, the next Anthem-style disaster strikes:

Most organizations don’t truly understand the scope of the problem. Although the Anthem hacking incident, which affected 78.8 million individuals, made headlines worldwide, hackers only account for about 8 percent of major health data breaches since September 2009, according to the Department of Health and Human Services. The other 92 percent are mainly due to preventable mistakes made by an organization’s own employees and business associates – losing a laptop containing unencrypted PHI, improperly disposing of paper records, “snooping” into and disclosing confidential data, etc. A health system might pat itself on the back for avoiding an Anthem-type breach, then get stung by a smaller scale breach that can still tarnish its reputation and cost millions to remedy.

The value and vulnerability of patient data are increasing dramatically. The anticipated growth of the national eHealth Exchange means that the likelihood of breaches will continue to rise. The exchange is predicted to soon connect hundreds of hospitals and thousands of medical groups. Hackers will no doubt be encouraged by what the Anthem thieves got their hands on: dates of birth, physical and e-mail addresses, and Social Security numbers of nearly 80 million individuals. That’s the equivalent of the entire populations of California, New York, Illinois and Maryland.

Too few organizations have a formal process for benchmarking the maturity of their IRM programs. The healthcare field is way behind other industries in this regard. The FBI said as much in its April 2014 Privacy Industry Notice and its August 2014 Alert. Many manufacturers and retailers routinely use maturity models to test the efficacy of their supply chain management and business intelligence. Healthcare needs to make it a priority to benchmark its IRM programs.

The term “data security expert” doesn’t equate with “risk management expert.” Too many healthcare organizations rely on their IT staff to ward off hackers, forgetting that breaches also come in a variety of low-tech (or no-tech) varieties. Plus the Anthem breach begs the question: What were the “experts” really doing?

Although the hackers did penetrate several layers of Anthem security, they may have gained access to the huge database by using a stolen password. And numerous media reports suggest that Anthem hadn’t bothered to encrypt the database. At the very least, we shouldn’t be making it easier for hackers to do their job. Whether the Anthem hackers were part of an international cyber-espionage team – or just brainy teenagers – doesn’t really matter. Several news organizations are reporting that the insurer will soon exhaust its $100 million cyber-insurance coverage to meet the staggering cost of identity theft repair and credit monitoring.

The healthcare field has “HIPAA compliance” myopia. The Anthem breach proves once and for all that information risk management is much more than a HIPAA compliance issue. IRM has a direct impact on patient safety and quality of care. But even more than that, it’s a discipline that’s essential to the health of a company’s brand and bottom line.

The Anthem breach demonstrates that there’s still a glaring need for better board and C-suite education about what constitutes comprehensive IRM. We must move from the technical/tactical/spot-welding approach to a business architectural solution that’s strategic. To do so, healthcare organizations need to use new benchmarking tools to help them assess the maturity of their IRM initiatives.

If the CHS breach was a wake-up call, the massive Anthem breach was a bugle blaring across healthcare boardrooms and C-suites nationwide. Let’s hope that it rouses leaders to action.

Bob Chaput, CISSP, HCISPP, CRISC, CIPP/US, is CEO of Clearwater Compliance, an information risk management advisory firm based in Nashville, Tenn., that offers an IRM benchmarking tool.

Go to original article…