Why the Data-Wiping of End of Use Healthcare Equipment is So Important.
There are about 25,000 petabytes of healthcare data in the UK. At the Big Data end this information is used for predictive modelling and at the lower end this is just a few bytes of information; a patient or a hospital name, for instance. Medical equipment used by a healthcare organisation will have data associated with it, gathered throughout its working life, about that item and the types of person that it has encountered. Information is held by organisations; on themselves, general data about procedures that have been carried out, as well as Patient Identifiable Data. Data can be held in paper format, and also can be contained within any item that has digital storage. The use of paper records has become less frequent; however, one must be mindful of this, as there can be paper records floating round somewhere.
The likelihood that data will be used unlawfully is extremely slim, but there is still a chance. So why is safeguarding personal data so important? Whatever size of organisation that you have worked for you are bound to have heard of the General Data Protection Regulation or GDPR. Any organisation can be liable for any data breaches and face a potential penalty of up to £500,000 from the ICO. It has been widely regarded as a European law by many of whom with which I have spoken. However, each member of the EU had to sign their own copy of GDPR law and the United Kingdom’s is called the Data Protection Act 2018. All legislation indicates that it is vital to ensure that all data is adequately wiped before an asset changes hands between businesses and it is the owners’ responsibility to make sure that this is carried out in full.
In my experience working for the largest medical device resale agent in the UK, I have heard about bio-medical equipment arriving on to site, where the hospital’s details were clearly visible on adhesive labels and Patient Identifiable Data was discovered on some of the items’ hard drives. On contacting the hospital in question, we able to ascertain from a very concerned employee that the whole consignment had been data-wiped by another provider. This just serves to illustrate that is essential to source a reputable data-wiping provider.
How to Delete Data Permanently
Before I even mention the various types of data wiping, the first thing that you should do is to make sure that you have the original operating system software, application software and all the associated licenses that accompany the item. This point is especially important if you want to be able to resell them and expect to recoup a decent proportion of your initial outlay. Any organisation that manages electrical assets of value should have all of this saved in a secure location and copies kept with the device. This is essential because data-wiping will require the device's hard drive to be partially, but more likely, totally wiped or removed and operating system reinstalled. The application software will also have to be reinstalled, which will require the license keys to activate it. However, you would be surprised how many large reputable organisations aren’t that organised! Experienced data-wiping providers who have handled a wide variety of different makes and models of medical equipment and they are more likely to have a back-up copy of the operating system and application software for that obscure piece of kit, that you are expecting to be worth tens of thousands of pounds.
There are a variety of ways to eliminate data permanently and this depends on whether you want to reuse the media where the data is stored. Here are a few techniques to securely delete your data:
The slightly over dramatic method of taking a drill to your mechanical hard disk is one of the most effective ways of stopping the retrieval of data from it, and it can be immensely cathartic as well. This is when making sure that you have that copy of the operating system handy, is especially important as you will have to install a new hard drive to the device, with the operating system and application software. Solid State Drives (SSDs) and optical media like DVDs and CDs should be destroyed physically, which usually involves a large shredder.
Data stored digitally is simply made up of 1's and 0's. Over-writing the data turns the sequence into regular or completely random sets of these, generally just a recurring sequence of 0's. This is the most common method of wiping data from a system, as it is the fastest and least destructive. However, this method is not the most secure if the data is only over written with a single-pass wipe. Most organisations that are wiping a large number of pieces of equipment will only carry out a minimal number of passes to save on time. So, make sure that you use a reputable organisation to that carries out at least a three-pass overwrite, you can even request a seven-pass overwrite if you want complete peace of mind.
Data cleansing is not a one size fits all process; it is recommended that you find an organisation that can employ all of the methods above to provide a bespoke solution to your project. Remember, do not be afraid to ask. All of the clinical engineers that I know are always more than happy to discuss at length the pros and cons of the various methods at their disposal, maybe sometimes a bit too happy!
As an organisation you should be able to provide an audit trail of devices that may contain data and you should always make note of the serial number of the hard drive. Where ever data erasure takes place, in-house or by a third-party, certification should be provided to prove that the data has been overwritten effectively, hidden areas have been erased, a defects log list and list of areas that could not be overwritten. You will be provided at the end of the process with a ‘Certification of Sanitisation’ which presents a clear end to the audit trail. The loss of a hard disk from this audit trail could represent a clear data breach. It is thoroughly recommended that a data destruction specialist be employed who follows the applicable government standards such as HMG Infosec in the UK or the DOD standards in the USA. A good indication of whether a medical engineering and data-wiping provider is if they hold the BS EN ISO 13485 certification. This is the gold standard for clinical engineering services.
Items that are not electronic can be easily overlooked, as they may have labels on that can identify the previous owner, for example a label stating that it is the property of hospital trust X. This is not a legal requirement for it to be removed, however, most publicly funded healthcare organisations will not relish any possibility of a discussion with the media on why are they selling equipment that is still working. If you trawl through eBay you will be sure to find medical equipment that has hospital labels still attached to them. Build a relationship with your data-wiping supplier and make sure that you enquire whether they carry out this level of detail. The higher quality medical equipment auctioneers have in-house clinical engineering departments and they will understand the importance of removing all any identifying labels.
A lot of hand held devices use fixed internal flash memory, which cannot be wiped without destroying the whole device. The revenue made from the sale of the item may not cover the cost of the data-wiping. It is very tempting to simply throw the item away at the end of its life, however, this would technically constitute a ‘data breach’ and reasonable measures would have to be taken by the healthcare organisation to let all parties know that their data may have been compromised. The item has to be cleansed of all data and a certificate issued, prior to disposal. To try to recoup some of the data-wiping costs, many organisations find it more cost effective to sell all items through a resale agent with sufficient clinical engineering capabilities.
Technological developments have rapidly moved towards the design of devices becoming more portable, which means the biggest threat to data is the theft of such a device. Mobile management device software controls all data across many devices and can ask a device to remove the data remotely. The data is rendered inaccessible on the device by overriding or purging the data. Other systems will wipe out the software encryption keys, making data impossible to be unencrypted. As discussed previously, these methods of overwriting data are not infallible, however, this provides an extremely effective first line of defence against theft, and offers peace of mind when handling large amounts of equipment.
Medical Equipment Leasing & Manufacture
Data protection is extremely important for manufacturers and distributors when moving on ex-demonstration stock. As well as for lease companies when medical equipment reaches the end of its lease cycle, as it will then either be moved to another leasee or sold. Return conditions on lease equipment generally include a clause stating that it is the customers’ responsibility to data-wipe all equipment prior to return, and to ensure that a valid data erasure certification is returned along with the item. Healthcare establishments have many administrative functions, however, organising data-wiping for an end of lease agreements is quite often overlooked. It is therefore advisable for the lease company to arrange for this themselves or use an asset manager who has in-house data-wiping capabilities. In some countries, lease companies offer the customer the choice of adding an ‘IT Asset Disposition services and data wiping’ service into their lease contract. Lease items need regular maintenance to keep them operational as part of any lease agreement. The company that carries out these Planned Preventative Maintenance Contracts (PPMCs) are often skilled in the data-wiping of the electrical bio-medical devices that they service. The required data-wiping at the end of the lease term can be written into these PPMC contracts and if this organisation is a medical equipment resale agent then you have a complete asset management solution for the item’s lifespan.