Another security risk: The copy machine
The biggest loophole in keeping patients’ medical and financial information secure could be that often-used computer that isn’t part of the practice management system or the electronic health record. It’s the photocopier.
A frightening CBS news report this April showed that anything copied, scanned, faxed, or e-mailed by a copy machine is retrievable. In the report, a CBS crew bought four used copiers and then used free software to download the tens of thousands of images stored on the copiers’ hard drives. One unlucky health insurance provider was among the four companies that had given up a machine at the end of its lease without even knowing the images were stored.
Photo by Photos.com
Stop to think about what the photocopier in your office might have seen in the last week—patient records, credit card numbers, Social Security numbers, bank account numbers, tax returns and credit card bills—and multiply that by the length of time you’ve had the copier. It’s enough to make you shudder.
Protecting this information is easier said than done, but here are some tips and options to consider in protecting yourself and your practice:
- First, establish whether the equipment saves digital images. Most but not all do. Newer models have corrected this problem, and Konica Minolta products do not save digital images.
- Include in your copier sales or lease agreement an “end of life” data scrub that erases and destroys the hard drive at the end of the contract. If you are in the middle of a contract, try to get an addendum. When negotiating a new lease, include a clause about wiping the hard drive before it leaves your office.
- Remove the hard drive, wipe it clean, and then dispose of it yourself.
- Read the owner’s manual for your equipment. Some models/manufacturers provide instructions or software to erase the drive.
- Hire an outside company to wipe the hard drive before you sell or return your copy machine.
- Be sure to ask before you buy/lease what your “overwrite” software options are. Some companies, such as Sharp and Xerox, offer this alternative.
- Find out if your machine is equipped with encryption or auto-erase features.
Whether you lease or own, and no matter what brand you’re using, it’s important to ask questions and take action before replacing your copiers or multifunction devices.
In response to the CBS news story, the Federal Trade Commission promised to address the issue with copier manufacturers and dealers, and referenced a previously issued guideline regarding the security and disposal of hard drives in general. For more information about keeping all electronic data secure, see ACP’s Health Information Privacy and Security Toolkit. For more information about HIPAA compliance, including security, privacy, and the HITECH Act, go to ACP’s compliance page.
Internist Archives Quick Links
Have questions about the new ABIM MOC Program?
One Click to Confidence - Free to members
ACP Smart Medicine is a new, online clinical decision support tool specifically for internal medicine. Get rapid point-of-care access to evidence-based clinical recommendations and guidelines. Plus, users can easily earn CME credit. Learn more