Data protection in the healthcare sector must surely be a top priority, especially considering the huge amount of sensitive personal data that is being processed on a daily basis. It certainly needs stricter procedures, controls and guidelines on privacy. As such, compliance with the POPIA is crucial.
By Wale Arewa, CEO of Xperien
This sector is one of the most regulated sectors when it comes to data protection, but it is also amongst the world’s highest affected by data breaches. Healthcare institutions are often prime targets for cyber-attacks due to the extremely sensitive and valuable data they collect and store.
Most healthcare systems are now cloud-based and the patient data is often shared amongst GPs, hospitals and pharmacies. However, the outdated systems offer cybercriminals and data thieves many opportunities.
According to an IBM report, examining the financial impact of data breaches, healthcare companies continued to incur the highest average breach costs at $7,13-million. Based on in-depth analysis of data breaches experienced by over 500 organisations worldwide, 80 percent of these incidents resulted in the exposure of customers’ personally identifiable information (PII). Out of all types of data exposed in these breaches, customer PII was also the costliest to businesses studied.
Data access
Healthcare institutions have lost track of all the devices that are accessing their networks and more importantly, which staff are accessing confidential information. They urgently need to secure their data, both internally and externally, to ensure their data is not compromised or that they fall prey to a data breach.
In nearly every business, employees have access to data that they shouldn’t have. This makes businesses vulnerable to data breaches, especially with cybercrime on the rise and companies of all sizes being targeted. But whose responsibility is it to know which staff are privy to the most confidential digital assets.
Many of these organisations focus on protecting their networks from outside threats, but they don’t realise that even the data that resides on personal devices could result in a data breach. They also don’t understand that it’s possible to recover the data from damaged hard drives, broken phones, credit card machines and even memory cards.
Abandoned hardware is by far the biggest cause of data breaches and the haphazard approach to IT Asset Disposition (ITAD) is costing companies millions of rands. Most IT managers don’t have a clue what hardware they own or where the old redundant devices have been stored.
POPIA
Data at end-of-life is a massive challenge for most companies, especially with uncontrolled data growth that has resulted in new corporate policies for data storage and retention. Disposing of old computer equipment used to be a mindless process, but those methods of the past are no longer an option with the introduction of new laws and regulations like POPIA.
The days of piling it up in storage or simply selling it off to staff or second-hand retailers or even dumping it in a landfill, are over. New corporate policies for data storage will be required, especially with heaps of hard drives and Solid-State Drives lying around storage rooms and data centres. Most of these drives contain sensitive data which needs to be protected or permanently removed – or it could be put the company at risk.
IT Asset Disposal (ITAD)
With modern companies constantly acquiring new technologies, there is a corresponding and often overlooked increase in retired IT assets. These outdated PCs, laptops, monitors and other IT equipment tend to quietly pile up in storerooms.
Scrapping storeroom bound computers without proper consideration for data protection processes and regulations, or the proper elimination of data, could be disastrous for any company.
IT asset managers need to practice due diligence and ensure their storerooms go through the expected data erasure techniques essential to protect company data. Asset disposition presents unique challenges and potential costs that companies seldom consider, it must be done professionally. Also, disposing of this equipment in a haphazard manner, through auctions or staff sales, is risky.
Many healthcare companies dispose of decommissioned hardware by shredding it to ensure stored data is irretrievable. This is done largely to comply with data protection mandates such as POPIA and GDPR. Shredding is mostly used due to a lack of understanding of other alternatives and a lack of understanding about the environmental impact of physical destruction.
Physical destruction of IT assets could do more harm than good. Sustainability has become a major focus in many industries across the globe, especially in the tech space. This has given rise to the circular economy, a concept for those businesses seeking to transform their practices towards a more sustainable one.
The traditional linear model, where raw materials are mined, products are produced and scrapped at the end-of-life, has proven to be unsustainable as the global population grows and we consume more products.
Circular economy initiatives help businesses keep IT assets in use for longer, extracting the maximum value from those electronics while in use. They can then recover and regenerate products and materials at the end of their useful life.
In short, it’s about optimising resources and minimising waste. The circular economy is a new way of doing things and actually offers real business and savings opportunities for those businesses that successfully adopt this strategy.