Inventory Management, Data Disposal Practices in the Spotlight

By Marianne Kolbasuk McGee, November 14, 2014. Follow Marianne @HealthInfoSec

The loss of a server at an optical wear retail store in Maryland offers a reminder not only of the importance of encryption but also the value of good inventory management and data disposal practices.See Also: Healthcare Data Breaches: Have We Learned Anything?Visionworks Inc., a unit of Pittsburgh, Pa.-based healthcare insurer Highmark Inc., says the problems began when the server was being replaced in June during a remodeling project at its store in Annapolis, Md. “We believe that the server was accidentally removed with trash from recent renovations and taken to a local landfill” along with other materials, a Highmark spokesman tells Information Security Media Group.

The server held protected health information for as many as 75,000 of the store’s customers, according to a Visionworks statement. “All credit card information housed on the server was encrypted, and therefore should not be at risk,” the company says.

Besides the encrypted credit card data, however, the server also contained unencrypted data, including customer names and addresses and some information related to optometrist visits and lens prescriptions, the spokesman explains.
…

Server Security

While lost and stolen unencrypted computers and storage media, especially mobile devices, are the most common culprits in breaches that appear on HHS’ “wall of shame”, which lists breaches affecting 500 or more individuals, some security experts say the Visionworks server incident is somewhat unusual.

“It’s highly unlikely to lose a server since they typically don’t move around once they get ‘racked and stacked’ in a data center,” says Brian Evans, senior managing consultant at IBM Security Services.

Also, while encryption of all data contained on the lost server would have protected against a data breach, “it’s not commonplace in healthcare to encrypt servers for a variety of reasons,” he says. “Most organizations think they’re safe because their data is secure within a data center environment where access is physically restricted,” he says – unlike the retail setting where the Visionworks server was located.

“Visionworks could have benefitted from a formal media disposal and asset inventory process,” Evans says. “As a result, the server operating system could’ve been wiped or destroyed while tracking and accounting for this asset.”

Lessons Learned

…
All healthcare organizations should have policies that spell out how computing devices need to be handled if moved or relocated, says Tom Walsh, president of the independent security consultancy Tom Walsh Consulting.

He suggests that such a policy should state: “Any media, equipment, or device containing memory and possibly storing confidential information needs to be sanitized or erased before the media or equipment is reused, sent to a vendor for repair, sold, or prepared for donation or disposal.”

Additionally, he says relocation policies often prescribe that, “hard disk drives are removed from servers, workstations, laptops and other devices – including multifunction printers – and kept temporarily in a secure holding area, such as a locked office/cage/room/cabinet, until the hard drives are physically destroyed by the IT department staff or electronics recycling vendor. The inventory tracking database also needs to be updated when equipment is removed from service.”
…

Read full article…