Category Archives: Uncategorized

Maxxum Inc. Invigorated Under Rich Woodward’s Leadership

May 21, 2018

Maxxum is on the Fast Track

IT asset disposition and data destruction company, Maxxum, Inc. continues to grow.
Rich Woodward, CEO and owner of Maxxum is back at the helm after a couple of
attempts at assigning leadership to outsiders. “I realized that our culture and strong
team approach does not need a new leadership figure. I eliminated the president role,
set the tone and direction for our team and then got out of the way. The response has
been nothing but astounding.”

Maxxum has a strong leadership team consisting of Controller Mike D’Jock, Director of
Operations Larry Hovseth, and Woodward. This team works closely with the sales team
and client services group. Twenty-five-plus-year client services veteran, Stacey
Sheffield, leads the client services group. The sales team has combined industry
experience of over 65 years. Bruce Janovec handles most of the equipment purchases,
Steve Joyce and Brian Sturdevant handle equipment remarketing, and Brandon Rooney
is responsible for ecommerce sales. This team leadership and team selling approach
resulted in an increase of 92% in the 4th quarter of 2017 and 102% already in the fast
start to 2018.

Woodward’s Mantra has been Consistent

How we will be successful in our new environment:

  • Communicate & close communication loop(s)
  • Collaborate
  • Improve our processes & models
  • Decision making that is immediate and at the front line
  • Empower TEAM—because I trust and care about them

    “It has been rewarding to see the results, as well as the team having some fun. Growth
    has its challenges, but the team is working together to move us forward.”

    If you would like more information on Maxxum, our services, equipment purchases or
    remarketing, please contact Brian Sturdevant at 651-674-2715 or visit Maxxum’s Website.

  • IT Asset Disposition Vendors Should Be Risk Mitigation Partners

    August 18, 2017

    Risk mitigation is the biggest driver of IT asset disposition. For most companies there is a myriad of concerns including compliance issues, control of assets, process considerations and financial considerations, to name a few. The biggest concern of all is a data breach that can be very expensive no matter how you define it. According to the Ponemon Institute, the average cost of a data breach in the US is $217 per record, and $6.53 million per incident. The largest cost of a breach is loss of business. Other losses may include damaged brands, loss of trade secrets, personnel records, financial information, etc.

    Risk management, compliance and security are all vital aspects of IT asset disposition as well. There are many regulations to consider including HIPAA, HITECH, PCI, etc. There are environmental regulations that come into play with electronics. Electronics contain heavy metals such as cadmium, lead and mercury that are highly toxic. Corporate compliance or sustainability groups, in particular, will want to ensure that the equipment is handled properly and not go to a landfill. The last thing your company needs is bad press when it is discovered that your equipment is involved in an EPA cleanup operation.

    Risk assessment will likely play a role in any IT asset disposition, and the smart play for almost any company is to err on the side of well-informed caution. Anyone who pays attention to the business section of their newspaper or favorite website is aware of the rising number of instances where companies are being hit with fines for sloppy disposition. And those are the businesses that get off easy when compared to those who suffer the multiple ramifications of data breaches: loss of information, reputation, and business. There are too many examples of companies suffering huge damages, who never even knew they were doing anything wrong or they took the least expensive path versus designing asset management practices, disposition processes and training that were appropriate to the needs and financial considerations of their company.

    Cyber security initiatives and budgets often obscure the importance of IT asset destruction best practices. It’s also hard for any company to keep up with all the latest regulations “do’s and don’ts”. Your ITAD partner should help you sort through your risk assessment questions:


    • How are assets moved and managed?
    • Is device encryption before shipping to an ITAD vendor sufficient, or does data erasure need to be done before devices are shipped?
    • Is onsite destruction of hard drives a necessity?
    • When is the chain of custody?
    • How is IT equipment to be stored prior to going to the ITAD vendor?
    • What are the logistics in moving the equipment?


    When disposing of old IT assets, risk should be weighed against practicality, compliance considerations, organizational competency, and financial considerations amongst other things. Allowing your ITAD partner to remarket equipment can lower costs and maybe even pay off your disposition costs. You usually get what you pay for and IT asset destruction should not be the place where you cut corners. Working with a vendor like Maxxum will assure that your entire IT asset disposition is done in the most strategic manner possible.

    Maxxum Inc. Celebrates its 20th Anniversary

    April 18, 2017

    Minneapolis and St. Paul, MN (April, 2017)—Maxxum Inc., an IT asset management and data destruction firm based in the Twin Cities, is celebrating 20 years in business. In conjunction with this milestone, Maxxum also announced its MAXXUMIZE Strategic Growth Initiative last week, incorporating a new organizational structure.

    Celebrating 20 Years of Business

    Founded originally as an IT equipment remarketing firm, clients began asking Maxxum for additional services including data destruction and disposition of end-of-life IT assets.  A new business was born that grew rapidly.  It is now Maxxum’s only business.

    Over the last 20 years, Maxxum has been protecting the confidential information of healthcare providers, financial service firms, educational institutions, government agencies, non-profits and private sector businesses.  The company has grown to be one of the largest independently owned and operated risk mitigation and IT asset destruction companies.  Maxxum maintains a blue-chip client base that it serves in the Twin Cities metro area, around the state, regionally, nationally and internationally.

    “Risk mitigation on behalf of our clients is the cornerstone of our business.  It guides all that we do as a company,” said Rich Woodward, Maxxum CEO.  “We believe that our extensive experience combined with our National Association for Information Destruction (NAID) AAA Certified® qualifications and local accessibility offers organizations a superior solution for secure, reliable, compliant and price-competitive risk mitigation services.”

    Maxxumize Strategic Growth Initiative

    The MAXXUMIZE Strategic Growth Initiative is designed to support profitable growth, greater operational efficiency, and improved collaboration across the enterprise.  “We will focus our actions to support our organic growth and the integration of our recent acquisition of Trace Technology Management, said Woodward.

    “While this is a milestone event, Maxxum is still driven by an entrepreneurial spirit which has enabled us to constantly challenge ourselves and the way we do business,” Woodward added.  Our MAXXUMIZE Strategic Growth Initiative brings focus to these efforts and prepares us well for growth and the next evolution of the company.”

    About Maxxum: Maxxum is a well-regarded, long-established presence in the IT asset management and remarketing space both in Minnesota and nationally.  As a risk mitigation partner for leading companies around the country, particularly those in highly regulated industries, Maxxum is known for its extensive technical expertise, regulatory knowledge, multi-industry specialization and enduring client relations.

    NAID Wraps Up another Successful Annual Conference

    April 12, 2017

    NAID CEO Bob Johnson was catching his breath and a little blown away at the great turnout for the association’s annual conference, which took place in Las Vegas from March 22-24.

    “I’m still trying to get my head around the fact that after 23 years NAID conference attendance records are still being set,” Johnson said, referencing the nearly 900 industry professionals who turned out for the 2017 version of the event.

    “If I had to guess, I would say it’s the combination of a more stable marketplace, increasing recognition of NAID Certification by customers, especially in the area of electronic data destruction, and growing interest in the medical waste management industry,” said Johnson.

    Maxxum works closely with many healthcare organizations to help them ensure they’re compliant when their equipment, and the data stored on the equipment, has reached its end of life.

    Organizations are often surprised to learn which devices in their enterprise store HIPAA protected information. In addition to computers, healthcare organizations need to consider the number of medical devices that store electronic protected health information (ePHI). Often times the number and type of ePHI capable devices may not even be known to the organization. For example, who would expect that a pocket-sized, battery-operated device for measuring lung volume (a spirometer) could store thousands of unique patient records that include patient name, birthdate, sex, test dates, test results, and more? Maxxum’s forensic discovery process uncovered that for a client.

    Maxxum offers ePHI assessment and sanitization services that begin with a thorough audit of data bearing equipment. We then help you develop risk mitigation strategies and practices to eliminate your risk of HIPAA violations due to PHI breaches rooted in equipment handling and management.

    Maxxum is proud to be AAA Certified by the National Association for Information Destruction (NAID), the third party watchdog of our industry.

    The NAID Certification Program establishes standards for secure data and equipment destruction processes. These include:

    • Operational security
    • Employee hiring and screening
    • The destruction process
    • Responsible disposal
    • Insurance

    Why is NAID certification important?

    Working with a NAID AAA Certified company offers peace of mind. It means you’re working with a qualified and reputable data destruction partner who satisfies all of their information destruction regulatory requirements.

    Working with NAID Certified companies indemnifies clients against any legal liability related to compliance with information destruction laws and regulations. Maxxum is proud to be AAA Certified with NAID.

    Maxxum, Inc Announces MAXXUMIZE Strategic Growth Initiative

    April 7, 2017

    Minneapolis and St. Paul, MN (April, 2017)—Maxxum Inc., an IT asset management and data destruction firm based in the Twin Cities, today announced its MAXXUMIZE Strategic Growth Initiative incorporating a new organizational structure along with the promotion of a current employee to a newly created Director of Operations position.

    Maxxumize Strategic Growth Initiative

    The MAXXUMIZE Strategic Growth Initiative is designed to support profitable growth, greater operational efficiency, and improved collaboration across the enterprise.  “We will focus our actions to support our organic growth and the integration of our recent acquisition of Trace Technology Management,” said Rich Woodward, Maxxum CEO. “We are increasing the customer focus of our organization by streamlining it for greater agility and speed.”

    The company is also moving its rapidly growing IT equipment remarketing business to its St. Louis Park facility.  “Space constraints along with the opportunity to operate this as a standalone business and in a more entrepreneurial manner were our motivations,” said Tom Pritzker, Maxxum President.  “We expect to better manage and more quickly turn inventory because we will operate without some of the constraints imposed by the processes and security requirements of our data destruction business that dominates our Rush City Facility.  This separation of operations offers us the best of both worlds,” said Pritzker.

    Larry Hovseth Promoted to Director of Operations

    As part of this strategic initiative, Maxxum promoted Larry Hovseth to Director of Operations.  For the past three years, Hovseth held the role of Manager of Technology Services where he was responsible for data destruction processes, on-site services, compliance and Maxxum’s IT function, among other initiatives.

    In his new role, Hovseth will oversee the entire operations team and be responsible for all processing operations in both Rush City and St. Louis Park.  “The MAXXUMIZE Strategic Growth Initiative is designed to support our profitable growth, greater operational efficiency, and improved collaboration,” said Pritzker.  “Larry is the point person to make sure this happens in our operations in a timely manner.  He is one of our best thinkers and knows our business well.”

    Prior to joining Maxxum, Hovseth was with Imation in a variety of roles.

    About Maxxum: Maxxum is well-regarded, long-established presence in the IT asset management and remarketing space both in Minnesota and nationally.  As a risk mitigation partner for leading companies around the country, particularly those in highly regulated industries, Maxxum is known for its extensive technical expertise, regulatory knowledge, multi-industry specialization and enduring client relations.

    Feds Get Forward-Looking IT Procurement Advice

    May 6, 2015


    By John K. Higgins – E-Commerce Times – ECT News Network
    May 1, 2015 9:23 AM PT

    The old cliché about the difficulty of turning an aircraft carrier around applies to changing the way government deals with investing in information technology, according to two recent reports.

    Federal agencies need to change course in handling IT spending quickly, particularly in reversing the inertia behind longstanding conflicts between chief information officers and chief financial officers over the procurement of IT resources, according to Research Director Shawn McCarthy, who authored the IDC Government Insights report.

    Government IT managers need to loosen their longstanding attachment to unproductive legacy systems and focus on the advantages of newer technologies — especially the cloud and mobile platforms, suggested Research Director Rick Howard, author of the Gartner report.

    From Confrontation to Collaboration

    Despite past conflicts between finance and IT staffs, federal IT spending has been robust — although it should remain largely flat, at about US$78 billion per year for the next few years. However, budgetary demands to do more with less almost certainly will create tension between the CIO and the CFO.

    “When it comes to where information technology money should be spent, the goals and motivations of a CFO can differ from those of a CIO,” McCarthy said.

    With the tightening of government budgets, the role of the CFO has expanded, he noted. The CFO now has a central role in determining how the taxpayers’ money is spent. However, that can — and often does — lead to clashes with the IT staff, who have in-depth expertise on utilizing technology.

    In the future, collaboration between the two will be required in the productive acquisition and deployment of IT, McCarthy said.

    To reconcile the differences between IT staffs and financial managers, federal government departments and major agencies should continue the trend to “consolidate multiple, lower-level CIO offices into a single, more powerful agency-wide CIO,” McCarthy suggested.

    That would lead to a more focused and coherent approach to IT management. The process also would simplify collaboration between the CIO and CFO by reducing or even eliminating diffuse communication between multiple low-level IT staff members and the CFO.

    Another major factor for improving collaboration is for each side to recognize the sea change in IT management that has resulted from the maturing cloud and shared service environment.

    IT managers, especially the CIO, must jettison the idea that the IT department has control of IT equipment, facilities and programs, and is the sole owner, provider and guardian of those assets.

    Especially in the procurement function, where CIOs and CFOs are most likely to tangle, managers need to “move IT procurement away from systems purchasing and management and toward IT services management,” McCarthy said.

    This approach is based on a realization that IT departments don’t have to own and operate IT resources to be effective. Instead, IT departments need to act as internal advisors and facilitators to provide guidance to agencies in how best to utilize available technologies to meet agency goals and citizen requirements.

    Sometimes that might involve actual on-site resources, but increasingly it will involve the IT staff acting as an expert intermediate to match up agency needs with appropriate capabilities, such as private sector cloud providers.

    Similarly, CFOs must shed any behavior in which they purport to “know it all” when it comes to cost-effective IT. They may have a good knowledge of IT costs from their own exploration of vendor offering pricing points and from reviewing budget data.

    However, they most likely don’t know it all in terms of what is effective in the application of IT resources. That expertise resides, and still should reside, with the CIO staff.

    “Often the IT team doesn’t understand the agency’s budgeting process, while the finance team doesn’t understand the agency’s IT systems,” McCarthy said.

    A good starting point for collaboration is for both departments to buy into the process of jointly developing a business approach for deploying IT resources, McCarthy suggested. CFOs who seek to logically influence IT planning should require the development of strong business plans to justify new IT expenditures. The objective of the process is for both teams to agree on the purpose for which the IT spending is required, and then to work out the procurement approach to implementing the plan.

    “The business-focused collaboration that is needed today includes protecting the interests of each other and supporting the business needs of the other. The discussion should not be about fixing failures, it should be about how technology can be leveraged to meet the organization’s strategic objectives,” McCarthy said.

    The CFO can be instrumental in establishing a business context.

    “Often the IT people are reluctant to give up control, so it’s the CFO who becomes the driver here to introduce budget realities and ask, for example, about what older machines are costing us money,” McCarthy told the E-Commerce Times.

    The CFO can directly or indirectly begin the consideration about using newer technologies, he said, by “initiating the conversation on what alternatives are available.”

    Slipping the Yoke of Legacy Systems

    IT managers should establish an innovation budget to formally facilitate digital experimentation and to build strong working relationships with other digital leaders, within and outside an agency, recommends the Gartner report.

    As with military planning, IT managers need to be wary of making investments designed to win the last war while failing to anticipate the conditions of the next one, it suggests.

    “There is a risk that circumstances such as deferred infrastructure investments are forcing government CIOs to ‘renovate the core’ of IT at the expense of deploying new user-centric systems and services, such as CRM, industry-specific applications and enterprise applications, all of which rank low on the priority list,” Howard noted.

    The next challenge is to achieve full exploitation of both cloud technology and mobile platforms, he said, noting that the cloud has matured to the point that it should be the first option of any potential IT investment.

    “Gartner believes that IT vendors are moving fast in the direction of cloud-based service models, and government agencies are becoming more comfortable with cloud-based solutions for reasons of subscription pricing and increased business agility,” Howard wrote in the report.

    “We recently predicted that by 2015, 50 percent of all new independent software vendors will be pure SaaS providers. This trend will challenge traditional procurement practices and expose government procurement channels to a more diverse array of small and midsize businesses than has been the case in the past,” he pointed out.

    “Government CIOs should begin with the default assumption that a public cloud option will be selected when re-engineering current business processes or designing new mobile services that are augmented by context-aware interactions,” Howard advised.

    In principle, every new investment or service, on every dimension — including infrastructure — should “incorporate the most advanced position,” rather than rely on what has worked in the past, he added.

    “With cost, value and security as top considerations, the most advanced position available to government CIOs is delivering services on public cloud, unless there is a reason not to,” Howard said.

    So too with the mobile world, which has moved from an interesting IT option to a nearly essential requirement. The Gartner study makes the following recommendations government IT managers:

    • Make mobile the foundation of your digital government channel strategy;
    • Increase mobile access to more business applications;
    • Focus on mobile user experience design and the effectiveness of end-to-end processes involving a device and its context;
    • Build a “Have we maximized contextualization opportunities?” step into all planning.

    One major objective is to make sure that the value proposition of any investment fully recognizes the benefits of advanced technologies.

    “The challenge is less about developing adequate cost-benefit and return-on-investment tools for IT investments and more about the discipline required to apply them consistently when measuring project performance or benefits realization,” Howard told the E-Commerce Times.

    Standard methods, including ROI, key performance indicators and similar tools, are still workable. However, the changing landscape of technology also introduces modifications in value analysis.

    For example, by using digital and mobile technologies, an agency could significantly improve the number of online queries it could handle from citizens. That improvement is a transactional benefit with a measurable cost — and benefit.

    On the other hand, the value of improved technologies that lead to more accurate government weather reports through improved analytics is not easily captured in conventional budget terms but is still significant.

    “In the digital/mobile age,” said Howard, “both are integral to creating measurable value.”

    See original article…

    Recycle Your E-Waste

    April 22, 2015


    Electronic waste, or “e-waste,” is a term used to describe any electronic device that is outdated, obsolete, broken, donated, discarded, or at the end of its useful life. This includes cell phones, computers, laptops, PDAs, monitors, televisions, printers, scanners, and any other electrical device.

    With the rapid expansion of technology, combined with the relatively short shelf life of many present day electronic devices, more and more e-waste is generated each year. Often, these discarded devices end up in landfills or are incinerated, which can cause major environmental problems in our communities.

    Many of the materials found in electronic devices are extremely hazardous. These include lead, mercury, and cadmium. When these electronics end up in landfills, many of these chemicals leach into the soil during rainfall or are released into the atmosphere when burned. These chemicals can have dangerous impacts on the health of plants and animals and when inhaled can lead to serious respiratory problems. Fortunately, the simple solution to limiting the dangerous effects of careless e-waste disposal is safe and responsible recycling.

    Each year, the United States alone produces up to 50 million tons of e-waste. Of this, only 20-25% is recycled safely and responsibly. The other 75% ends up in landfills. As a direct consequence, hazardous materials found in this waste routinely contaminate our air and water supplies. By safely and responsibly recycling your e-waste, you can help protect your community and the ecosystem from these dangerous chemicals.

    Learn more about our process


    Read full article…

    Get Your Green on At Work: Earth Day

    April 17, 2015

    by Vanessa L. Goddard, April 13th, 2015


    Celebrate Earth Day (April 22) year-round with these green workplace ideas.  A few of these changes may only be able to be implemented one day a year.  Others might be things you can work up to doing once a month, or even eventually once a week.  There may even be a few suggestions on this list you can start now and make a lifelong practice of your business or workplaces.

    Saving Energy

    We’ve all seen the energy efficient light bulbs at the store. If you’re not using them, you should be. states that, if every American replaced one regular bulb with an Energy Star efficient bulb, greenhouse gas emissions would be reduced by 9 billion pounds – the equivalent of emissions from 800,000 cars! So, this Earth Day, try making the switch to compact fluorescent (CFL) bulbs where feasible in the workplace.

    Better still, turn stuff off at the end of the day. Then, unplug it. This goes for computers, coffee makers, fax machines, copiers, and any other electronics you have around the office. Not only will this save electricity – it can save big bucks. You can make this easier by investing in power strips so you can save money and the environment with the flip of a switch.

    For workspaces with windows, implement some lights-out time during the sunniest part of the day. Natural sunlight not only will reduce your power bill and save electricity, opening those blinds and soaking in the Sun’s Vitamin D will raise your employees’ spirits.

    Experiment with changing the thermostat by one degree (up or down depending upon the season) to conserve energy.

    Saving The Environment

    For this Earth Day, have your employees work together to use less energy for their commute to work. For those who live close by, walking and biking are great ways to save energy, reduce greenhouse gas emissions, and get a little exercise to boot. If you offer telecommuting, make that option available this Earth Day. Have your employees organize a carpool or take public transportation that day. You might find you can adopt this practice for more than simply one day a year.

    If your office hasn’t made the switch to recycling, start a new habit on April 22nd. If you’ve already transitioned to recycle bins, take the next step in your recycling program by switching to recycled paper products, like copy paper and towels. If your whole office can’t make the switch but you recycle at home, commit to saving your own cans, cardboard boxes, and glass bottles to take home for the recycle bin.

    Other habits you can start this Earth Day to make a difference include refilling your water bottle for a week or bringing re-usable water bottles and coffee mugs to work. Pack your lunch one day a week. Not only will you cut down on waste such as Styrofoam take-out packaging and plastic flatware, you’ll save a little coin too. Some folks are bringing personal hand towels to work to cut down on paper waste. There are fast-drying towels on the market now which are sized perfectly for purses or bags. Can you go paperless for a day? How about using both sides of the paper for one day? Start little, but think big.

    Go Green – Literally

    Add plants to your workspace. Folks, there is no down side to this suggestion. Plants are an inexpensive way to beautify the workplace, keep the air clean, and lower stress. Plants generate fresh oxygen and soak up a lot of bad stuff you didn’t even realize you’re breathing. NASA compiled a list of plants that are the best at removing toxins from the air – things like formaldehyde and benzene – that may be found in furniture, dry cleaning, inks, cleaners, plastics, detergents, etc. So, consider adding these beauties to your workplace:

    Add plants to your workspace. Folks, there is no down side to this suggestion. Plants are an inexpensive way to beautify the workplace, keep the air clean, and lower stress. Plants generate fresh oxygen and soak up a lot of bad stuff you didn’t even realize you’re breathing. NASA compiled a list of plants that are the best at removing toxins from the air – things like formaldehyde and benzene – that may be found in furniture, dry cleaning, inks, cleaners, plastics, detergents, etc. So, consider adding these beauties to your workplace:

    • Aloe Vera: It needs a sunny spot, but it also removes toxins and is good for cuts and burns.
    • Spider plant: This plant is hard to kill – a prime choice for the black thumb who loves plants.
    • Peace lily: These lovelies can grow with just indoor light and once-a-week watering.
    • English ivy: You should look up what this removes from the air.  You’ll thank me. I plan to buy 10.
    • Bamboo palm: This plant thrives in the shade and can live in water if you choose to do it that way.

    I recommend you check out NASA’s complete list to find the plants perfect for your office space. So, this Earth Day, April 22nd, go do something green.  It’s easier than you think. If you have any suggestions for going green at the office, I’d love to hear your views.

    Go to original article…

    It’s Earth Month!

    April 1, 2015

    Today is the beginning of Earth Month!

    Yes, I said that right, Earth Month. Although some people only recognize Earth Day, on April 22nd, we want to encourage everyone to celebrate our Earth everyday. We understand that a lot of people don’t know what they can or should recycle, how they can reduce or reuse items they’d otherwise throw away, or the human and environmental health risks those certain items are causing when not properly disposed of. We are here to help make the world a better place and show that you can help too. Join us in making Earth Day/Month into part of your everyday lives because here at Maxxum, everyday is an Earth Day. Let’s celebrate!

    Keep checking back with us to see how we’re changing the world and how you can help.


    It’s Time to Re-Examine Risk Management

    March 30, 2015

    Attacks Against Anthem, Others Are a Call to Action

    By Bob Chaput, March 27, 2015

    Bob Chaput

    Just as 9/11 shattered our assumptions about the impregnability of U.S. defense systems, the recent Anthem Inc., Premera Blue Cross and Community Health Systems mega-breaches show that we need a top-to-bottom re-examination of what information risk management really requires.

    To be fair, most healthcare boards of directors and C-suite executives have had their hands full just dealing with the Affordable Care Act and the momentous shift from the fee-for-service model to value-based care. That may be the reason why so many healthcare boards and C-suites are either ill-informed or disengaged from information risk management.

    “We must move from the technical/tactical/spot-welding approach to a business architectural solution that’s strategic.”

    In the wake of the highly publicized Community Health Systems, Anthem and now Premera hacking incidents, most organizations are scrambling to play catch-up – often trying to “checklist” their way to security. By default, and in the absence of board and C-suite direction, this approach is often too technical, too tactical and involves too much spot-welding.

    Here are some reasons why it’s not a matter of if, but when, the next Anthem-style disaster strikes:

    Most organizations don’t truly understand the scope of the problem. Although the Anthem hacking incident, which affected 78.8 million individuals, made headlines worldwide, hackers only account for about 8 percent of major health data breaches since September 2009, according to the Department of Health and Human Services. The other 92 percent are mainly due to preventable mistakes made by an organization’s own employees and business associates – losing a laptop containing unencrypted PHI, improperly disposing of paper records, “snooping” into and disclosing confidential data, etc. A health system might pat itself on the back for avoiding an Anthem-type breach, then get stung by a smaller scale breach that can still tarnish its reputation and cost millions to remedy.

    The value and vulnerability of patient data are increasing dramatically. The anticipated growth of the national eHealth Exchange means that the likelihood of breaches will continue to rise. The exchange is predicted to soon connect hundreds of hospitals and thousands of medical groups. Hackers will no doubt be encouraged by what the Anthem thieves got their hands on: dates of birth, physical and e-mail addresses, and Social Security numbers of nearly 80 million individuals. That’s the equivalent of the entire populations of California, New York, Illinois and Maryland.

    Too few organizations have a formal process for benchmarking the maturity of their IRM programs. The healthcare field is way behind other industries in this regard. The FBI said as much in its April 2014 Privacy Industry Notice and its August 2014 Alert. Many manufacturers and retailers routinely use maturity models to test the efficacy of their supply chain management and business intelligence. Healthcare needs to make it a priority to benchmark its IRM programs.

    The term “data security expert” doesn’t equate with “risk management expert.” Too many healthcare organizations rely on their IT staff to ward off hackers, forgetting that breaches also come in a variety of low-tech (or no-tech) varieties. Plus the Anthem breach begs the question: What were the “experts” really doing?

    Although the hackers did penetrate several layers of Anthem security, they may have gained access to the huge database by using a stolen password. And numerous media reports suggest that Anthem hadn’t bothered to encrypt the database. At the very least, we shouldn’t be making it easier for hackers to do their job. Whether the Anthem hackers were part of an international cyber-espionage team – or just brainy teenagers – doesn’t really matter. Several news organizations are reporting that the insurer will soon exhaust its $100 million cyber-insurance coverage to meet the staggering cost of identity theft repair and credit monitoring.

    The healthcare field has “HIPAA compliance” myopia. The Anthem breach proves once and for all that information risk management is much more than a HIPAA compliance issue. IRM has a direct impact on patient safety and quality of care. But even more than that, it’s a discipline that’s essential to the health of a company’s brand and bottom line.

    The Anthem breach demonstrates that there’s still a glaring need for better board and C-suite education about what constitutes comprehensive IRM. We must move from the technical/tactical/spot-welding approach to a business architectural solution that’s strategic. To do so, healthcare organizations need to use new benchmarking tools to help them assess the maturity of their IRM initiatives.

    If the CHS breach was a wake-up call, the massive Anthem breach was a bugle blaring across healthcare boardrooms and C-suites nationwide. Let’s hope that it rouses leaders to action.

    Bob Chaput, CISSP, HCISPP, CRISC, CIPP/US, is CEO of Clearwater Compliance, an information risk management advisory firm based in Nashville, Tenn., that offers an IRM benchmarking tool.

    Go to original article…