Article submitted by AGX Holdings
Patient Data Integrity. Medical Devices: General Data Protection Regulations (May 2018)
The new General Data Protection Regulations come into force in May 2018. This means that if data is not managed in an acceptable way the Information Commissioner will be able to fine up to 5% of budget for the whole Trust.
NHS facilities go to great lengths to protect their data from network intrusions, hacking, viruses, and theft. However, many fail to protect against the disastrous consequences of data security breaches from media that they thought was deleted, erased or didn't know existed. Various trusts have already been fined by the ICO over the loss of sensitive information and the maximum fine for Data Protection Act breaches is currently £500,000 and in future could reach £ 2,500,000.
Do you know which devices has patient data is stored?
In reality, any device held within the trust that has a hard disc drive fitted has the capacity to store sensitive patient data and will be subject to the G.D.P.R. regulations. Some devices may not necessarily be known that it there is a hard disc drive fitted, so for example apart from the obvious equipment like computers, tablets or phones there are many other less obvious items that also have hard disc drives installed like operating theatre monitoring systems, CCTV recorders and even photocopiers.
The image below features a typical operating theatre with 8 separate machines all using hard disc drives that could all potentially and inadvertently fall foul of the new G.D.P.R regulations.
Hard Disk Disposal
There are several hard disk disposal options available to Trusts, some more resilient than others. One option would be to wipe the drive and put the system on line to sell it. This is dangerous because in the hands of the right person it is possible to recover data from second hand hard drives. There are also IT hardware disposal companies that will collect the redundant equipment, refurbish it, wipe the drive using software and resell the device to the public. This is a perfectly acceptable solution provided nothing goes wrong in the third-party company. In other words, if the external organisation fails to deliver on their promise to your Trust it is the Trust who will be fined significant sums of money not the disposal company.
Another option is to have a company visit your premises and shred the drives for you. This again is an excellent option to secure data however the same problem remains that if this company fails to deliver it is still the Trust that is fined as the Trust is ultimately responsible for the data. This option may not be the most cost-effective method either because the third-party company needs to cover the cost of setting up and delivering the service as well as making a margin.
What can the Trust do that doesn't rely on external organisations that also secures data in a cost-effective way?
The first thing to put in place is an audited process. The process should record the serial number of the drive, what has happened to it and who has performed the function of removing the data.
The second thing to use a degausser. A degausser will permanently remove all data on the hard disk.
The third thing to ensure that you have is a manufacturer approved support contract in place for your degaussing equipment. This will protect you as your process can be seen to be robust with every reasonable eventuality accounted for.
What is a degausser?
A degausser is a machine that passes a large magnetic field across a hard disc drive. This completely obliterates any data on the hard disc drive and renders the drive impossible to read or write to in the future. It is now only useful as a paperweight or perhaps more seriously, as a resalable item to extract the precious metals from. Pictured below is a degausser with an integrated auditing system.
The Garner degausser (pictured left) is currently used in other areas of commerce such as large data centres and major on-line retailers. Using degaussers ensures that none of their client's data is compromised when hardware is upgraded or fails. Some health Trusts have already moved over to working this way because it provides data security under their control and in a cost-effective way. Degaussing redundant data storage devices will protect your organisation.
Sources:
www.agxuk.com
www.eugdpr.org/
ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/
Garner an American company, are the industry leaders in data elimination products that deliver complete, permanent, and verifiable data elimination. Their products ensure your data is unrecoverable. They are supplied in the UK through AGX Holdings Ltd who are also European service agents for Garner.
AGXUK supplier page: http://www.ebme.co.uk/services/42-agx-holdings-ltd-repair-services