Hospitals Protect Data By Erasing Old Hard Drives

When hospitals get rid of outdated computers, it’s not just a matter of tossing them into a trash bin in the alley.

Federal patient privacy laws, such as HIPAA, or the health insurance Portability and Accountability Act of 1996, mean that hospitals must ensure that patient information is not leaked.

This year, Sharp HealthCare, which operates four hospitals here, will erase 2,000 hard drives using in-house labor and guidelines set forth by federal officials.

While most patient data at hospitals is stored on a central server, there is “definitely potential to download and save patient information onto hard drives,” said Denise Amemiya, director of the project management office at Sharp.

For this reason, hospitals either “wipe” the hard drives clean by using a computer program that replaces all characters with zeros, or by physically drilling holes in or destroying the hard drive.

While Sharp and Alvarado Hospital Medical Center do this in-house, Scripps Health and Children’s Hospital give their hard drives to technology recycling companies that often then sell the equipment for a profit. These companies do not generally charge the hospitals to take away old equipment, officials said.

The hospitals are provided with a certificate of destruction. But Brooks Hoffman, co-owner and vice president of finance at Boston-based LifeSpan Technology Recycling, Inc., which has a sales office here, said hospitals should sporadically ask to test samplings of hard drives to ensure the data erasure companies are fulfilling their promises.

“It has to be done properly or else sometimes you are able to recover a treasure-trove of sensitive information,” Hoffman said.

Cleansing Themselves

The hospitals have been cleansing or destroying hard drives for nearly a decade, officials said. Formerly, most hospitals used “dumb” terminals, or those that didn’t have the ability to store such information.

Today, HIPAA law violations can mean fines of up to a couple of hundred thousand dollars and jail time, so Michael Kolb, manager of information systems at Alvarado Hospital, said he takes his job seriously.

“Patient safety as far as patient data is the highest priority of this department,” said Kolb, who added that he does not trust recycling companies. “Just because someone wrote down on a piece of paper that they destroyed this information doesn’t mean they did. So I prefer to keep this task under my control at this hospital.”

Unlike other hospitals, Alvarado keeps hard drives that have been wiped clean in a locked storage area, Kolb said.

“How do you prove the data is nonrecoverable?” he said, adding that the hard drives take up minimal space. “I don’t know of any way now, but I don’t want to be wrong down the road when some teenage hacker figures it out.”

Hoffman, whose company’s clientele is approximately 15 percent health care organizations, said he doesn’t see any reason to keep erased drives in storage.

“It may just mean that they are so concerned about privacy that they want to keep them,” Hoffman said. “But typically, you don’t keep hard drives unless you are going to use them for something else.”

A Money Saver

Local hospitals are saving a good deal of money by destroying the data in-house or employing one of the lower cost or free recycling companies. Hoffmann said the bill for health care organizations he serves can range from zero up to tens of thousands of dollars.

Bill Spooner, the chief information officer at Sharp HealthCare, said Sharp donates most of its old computers to churches, schools or other not-for-profits. Scripps does not, but will be looking at doing so in the coming months, said spokesman Don Stanziano.

Children’s Hospital does not donate any of its old equipment, said spokesman Tom Hanscom.

Recently, Sharp sent some of its old equipment to Louisiana to help in the Hurricane Katrina aftermath. It will go to libraries and schools.

But Paul Tobia, information technology security manager at Sharp, said patients can rest assured that their data is not being spread across the country.

“When a computer is retired, it goes back to our central warehouse, and is wiped clean,” he said, adding that afterward Sharp spot-checks hard drives to ensure the data has been erased. “We’re very careful.”