The thing that businesses- and even hospitals- don’t realize is every time they scan, copy, or fax, all that information is stored on media that’s tremendously easy to access.
The more that we use technology to try and improve and simplify the workflow and efficiency in our office, the easier it gets for identity thieves and corporate spies to gather intelligence and personal information from our customers, employees, and business partners.
The implications are huge- and can cost millions. Just ask Affinity Health Plan, who had to pay $1.2 Million because they did not properly remove or destroy hard drives in their copy machines prior to returning them to the leasing company.
This article will help you determine where sensitive information is stored on various electronic devices, and how to make sure that your electronics are properly handled and all sensitive information is destroyed so your company isn’t vulnerable to a data breach like Affinity was.
Before we dig into the details, take a look at this video from cbsnews.com that uncovered potential data breaches, which included the eventual discovery of Affinity Health Plan’s serious data breach:
Where Is Information Stored on the Machines in Your Business?
Every scanner, printer, and fax machine has to have a way to store information before it transmits it. Even a $20 printer will have a copy of the information you send to it somewhere in the machine, either temporarily or permanently. Larger machines that have multiple functions for offices usually have a hard drive to ensure that all the information hundreds of employees send to it is processed quickly and efficiently.
As you saw in the CBS report above, that information may stick around longer than you might think- and it will store everything you send to it. That’s why it’s so important to make sure you have an electronic media and product disposal plan.
Here’s a list from Data Breach Today of some of the types of media and devices that could (and probably do) store personal or critical company information:
- Biomedical devices such as physiologic monitors, infusion pumps, ventilators, MRI, CT, and diagnostic ultrasound and laboratory analyzers
- Mobile devices such as cell phones, smart phones, PDAs, tablets and laptops
- Legacy magnetic media like floppy drives, zip disks and magnetic tapes
- PC hard drives
- Optical media, including CDs and DVDs
- USB removable media such as pen drives, thumb drives, flash drives and sticks
- Memory cards, including SD, SDHC, MMC, compact flash, microdrive and memory sticks
- Embedded flash on boards and devices, including motherboards and peripheral cards such as network adapters or any other adapter containing non volatile flash memory;
- RAM and ROM-based storage devices.
Before you ask it, yes, almost all the office equipment you use every day uses and stores information on one of these devices- and if you don’t set it up to delete periodically, or make sure you dispose of those storage devices properly before you sell or return your equipment, you might end up on CBS News.
Make sure that you remove any media from any equipment you are planning to decommission- if you’re not sure how, most industrial size printers will provide that information in the user’s manual that should have been provided with the equipment, or they will have it posted on their website.
Let’s get a little more specific and talk about fax machines in particular. There is the risk of digital information being stored on fax machines, but what about all the older thermal fax machines that everyone used?
It turns out that not removing the thermal film from your fax machine could be just as problematic as not removing electronic media from digital equipment.
Thermal fax machines take the information you need to fax and place it on film to transmit it.
If you don’t remove it, you could be exposing information you thought was secure without even knowing it. Take this example from a story posted by CBS4 in Denver titled Secrets Lurk Inside Your Fax Machine:
“…since many people put [fax machines] in the trash or donate them to thrift stores or charities with the film rolls still inside, they are giving identity thieves easy access to their deepest secrets.
Miller demonstrated the problem for CBS4. He randomly selected two thermal fax machines manufactured by Panasonic that had recently been turned over to Metech.
When he opened up one and looked through the rolls of film, we found a Broomfield families’ name and address, medical lab tests that had been sent or received, the mother’s faxed order for Playtex bras, her prescription order for Vicodin along with the families’ social security numbers, names and addresses.”
These are just random machines- this company gets fax machines from businesses as well as individuals. It’s a good thing that they take this thermal film to be securely shredded and destroyed– if you just donate your fax machine without removing the thermal film, you might not be as lucky.
Hospitals are vulnerable too- and not just on older machines
Now we come to one of the more concerning pieces of information we found about accessing systems that really mean life or death- medical equipment that’s located in health care facilities throughout the country.
There’s always a risk of information being left on storage devices in fax machines, copy machines, and other electronic devices- but hospitals have a lot more vulnerabilities than these traditional machines.
In the article It’s Insanely Easy to Hack Hospital Equipment, information security expert Scott Erven found holes in the security for dozens of medical systems and equipment.
Here’s a list of equipment included in this article that relate to medical information and HIPAA violations for hundreds of hospitals in Evern’s network:
- Unencrypted communication between medical devices allows an intruder to collect data passing from medical devices to patient records, and then replay it so that the same data is passed into other records.
- X-Rays and other imaging are backed up on centralized units that are completely unprotected- you can log into the back door and grab all the images.
- Embedded web services that allow devices to communicate with one another and feed digital data directly to patient medical records allow unauthenticated or unencrypted communication between the devices, so someone is able to alter the info that is fed into medical records, which could cause doctors to misdiagnose or get prescriptions wrong.
This type of security issue can be related to weak (or non-existent) passwords throughout the entire network, along with other ways to breach the systems and equipment. The liability for HIPAA violations and privacy issues is enough to put any hospital security expert on the edge of their chair.
Steps your business can take to help prevent a potential data breach
So what can your company do to help avoid a potential data breach?
- Make sure you’re up to speed on how identity thieves and corporate spies are obtaining PPI or corporate documents Subscribe to a data breach notification service, and incorporate any information you find into your data destruction and product destruction plans.
- Set policies and procedures that account for the proper disposal of any electronic media. Include detailed instructions on how to remove or erase information on each piece of equipment.
- Limit who can access and remove any electronic media from the equipment you’re decommissioning.
- Once you remove this media, make sure the data is completely destroyed.
We understand that these steps can be difficult to implement- but we can help you with that. Our network of hardware and data destruction experts will step in and help ensure your data is completely obliterated and your electronic hardware is decommissioned properly.
Do you need electronic media destruction services? Shred Nations Can Help!
Shred Nations offers hard drive destruction, electronic media destruction services, and proper electronics recycling to ensure all the data on the electronic equipment you’re retiring is completely unrecoverable. Our network of contractors allows us to come to your location if you need to ensure a proper chain of custody, or the ability to have you ship your drives to a secure facility to be destroyed.
You are provided a certificate of destruction that details when and where the hard drive was destroyed, and then pieces are separated into component parts and recycled.
To get started, fill out the form to the right, or give us a call at (800) 747-3365 to get free quotes on your project in minutes!