In the age of Big Media, it’s easy for some to say, “Paper is dead! Everything is digital now!” Well, not quite. Even as we get further and further into the digital age, not everyone (or everything) has gone paperless. While the majority of our information and data has gone digital, there are very literal paper trails linking our identities to our private information. From medical records and birth certificates to mailed credit card offers and business contracts, there is a plethora of paper documents out in the world that hold some of our most private and confidential information. It is this reason in particular why we at SEM stress that any end-of-life paper documents containing sensitive or confidential information should be destroyed securely. Join us as we break down some of the methods that should be avoided.
Cutting and/or Shredding by Hand
As satisfying as ripping up physical spam mail can be, making it your primary shredding method is not recommended. While this method may be enough for mail or documents not containing private, confidential, or personally identifying information (PII), it will not ensure that the information cannot be pieced back together. Unfortunately, when media or data of any nature is not destroyed with high security end-of-life destruction equipment, there is always a risk that some of the data may be recovered. Take for instance the DARPA Shredder Challenge where people competed to reassemble shred particles, or our previous blog, A History of Data Destruction.
Recycling and/or Throwing Away
While we support the green initiative in wanting to recycle your end-of-life confidential paper documents, unfortunately this cannot always be securely done. For starters, the majority of our waste and recycling ends up in landfills and dumpsters which are typically gold mines for hackers and thieves. In addition, recycling and waste are not transported securely, making it easy for people to intercept and have access to your most sensitive and confidential information.
It is reported that, on average, recyclables and waste sit on sorting floors for up to four weeks before finally being destroyed. Given that length of time, anything can happen! It is important to note that after this period, remnants of your information are not magically sorted; dozens of employees’ sort what the machines cannot and have direct access to your data. By opting for a seemingly eco-friendlier alternative, you will unfortunately only put your data at more risk.
It is always best to err on the side of caution when it comes to end-of-life data destruction. When it comes to specifically destroying paper documents, it is best practice to use a paper shredder. By adopting a shredding policy, companies and organizations can take preventative measures to ensure that end-of-life confidential information does not fall into the wrong hands.
That’s why at SEM, we want you to future proof the destruction of your most sensitive and confidential data with one of our high security paper shredders, the SEM Model 344. The Model 344 offers an even more secure shred size that we like to call P-7+. This device is the only high security paper shredder on the market that offers a particle size of 0.8mm x 2.5mm (that is 50% smaller than the current National Security Agency requirement!) This compact, portable, energy saving option is listed on the NSA/CSS Evaluated Products List and has a throughput of 12 reams of paper per hour when feeding five sheets at a time.
By opting for in-house data destruction methods, you and your company or agency are making the most cost-effective, safe, and secure decision. It is also important to remember that a data breach is a data breach, no matter the level of impact. At SEM we have an array of high-quality NSA listed/CUI and unclassified paper shredders to meet any regulation. Any one of our exceptional sales team members are more than happy to help answer any questions you may have and help determine which machine will best meet your destruction needs.
It’s quite ironic that in the digital age, there is still so much paper being used.
True, more and more organizations have “gone paperless,” whether it’s eStatements from your bank or the option for emailed receipts from retailers. And when you think about it, when was the last time you received a paper gift certificate, or flipped through a White Pages book to find someone’s contact information? (It’s probably been a while.)
Yet, there is still a plethora of paper out there, and even more so containing sensitive or otherwise private information. From mailed credit card offers and office correspondence, to business contracts, building blueprints and legal documentation. Medical records, birth certificates and social security cards are all printed on paper, as are government passports, all of which will likely not be issued in digital-only formats anytime soon. Even engineering plans for nuclear missiles are first presented on paper.
Our society operates with a literal paper trail that can be traced throughout our everyday transactions, which means we must take steps to ensure the protection of any personal, private and/or sensitive information that’s contained within it.
Why It’s Crucial to Properly Dispose of Paper with Sensitive Data
Whether federal or personal, most types of paper documentation include what the government calls CUI, or, Controlled Unclassified Information. PII (Personally Identifiable Information) is one example of CUI on the consumer level. Unclassified government data such as those marked For Official Use Only (FOUO) or Sensitive But Unclassified (SBU) are considered CUI, as is any and all unclassified information throughout the Executive branch that requires safeguarding and dissemination control. CUI also covers nearly all government agencies as it relates to information for critical infrastructure, defense, export control, financial, immigration, intelligence, international agreements, law enforcement, legal, natural and cultural resources, NATO, nuclear, patent, privacy, procurement and acquisition, proprietary business information, provisional, statistical, tax and transportation documentation.
When documents containing CUI face end-of-life and need to be disposed of, it’s therefore critical to take the proper destruction measures for both the data and the media, to render the sensitive information unreadable, indecipherable and irrecoverable by any means.
For paper containing government-related CUI, the data destruction must follow NIST SP 800-88 standards. NIST SP 800-88 stipulates a 1mmx5mm or less final particle size for paper media (this is the same standard required by the NSA for classified information that’s reached end-of-life). This includes PII contained in a government document.
And although PII contained in non-government documentation does not require the same data destruction standards, it should still be treated with the same care and precision. If the documentation is to be shredded, the paper should be cross-cut—not strip-cut. Remember the Iran hostage crisis of 1979? (You know the one, when 52 American diplomats and citizens at the US Embassy in Tehran were held hostage for over a year by Iranian supporters of the Iranian Revolution.) During the hostage crisis, the Iranian hostage-takers gathered the strip-cut remains of shredded US intelligence reports and operational accounts and spent years painstakingly—and successfully—putting the shredded pieces back together. The sensitive data contained in the documents was made decipherable and readable, posing a major threat to the US government and our society.
To ensure something like that does not happen to any of your documentation with sensitive data that reaches end-of-life, you should follow DIN Standard 66399 for data destruction. DIN Standard 66399, in this case Material Classification P, refers to information presented in its original size, such as on paper. Within this DIN Standard, there are further levels of security ranging from P-1 (ideal for data carriers with general data) to P-7 (for data carriers with top secret information and the strictest security standards). Level P-4 is recommended for most non-government PII covered under HIPAA, FACTA, FISMA, PIPEDA, SOX and even GDPR regulations.Under P-4 standards, the maximum cross-cut particle surface area is 160mm² with a maximum strip width of 6mm, or 6x25mm or less final particle size. Shredded data at this size can only be reproduced using equipment that is not readily available commercially. Therefore, the P-4 shredding standard is safe to use for non-government-related documentation, such as those containing PII.
A Note on Data Destruction Machines
Paper documentation containing CUI that’s reached its end-of-life should either be incinerated or shredded with the correct destruction machinery. Be sure to look for signage or other indicators on the machine to inform you of whether it has been approved for CUI destruction. These machines should also be listed under the NSA/CSS 02-01- EPL for classified paper destruction.
All of SEM’s high-security shredders meet the NSA/CSS mandate. SEM also offers several cross-cut paper shredders for Unclassified paper destruction which meet the DIN Standard 66399 Level P-4. These machines are suitable for commercial, non-government paper shredding or Unclassified non-Executive branch shredding and can be viewed here.
In today’s digital age, the majority of data is stored electronically in internet-based cloud software. Whether for convenience or accessibility, or due to physical hardware storage limitations, using a cloud to store data has become a norm for businesses, organizations, and individuals alike. And while cloud systems offer security measures that physical storage systems cannot, they also come with their own set of risks and security threats.
Moreover, the size and even financial power of an organization doesn’t necessarily equate to better and more secure methods of privacy protection for data stored in its cloud. Recent data breaches at large data centers like Experian, Facebook, and Target have proven that the proper protection of private and otherwise sensitive information is paramount, especially when stored electronically.
For healthcare providers, professionals, and clearinghouses (hereto referred as covered entities), HIPAA has specific regulations for safeguarding Protected Health Information (PHI), especially when it comes to the disposal of such sensitive and private data.
HIPAA Regulations & Best Practices for Data Disposal
If you’re a covered entity and need to dispose of data containing PHI, you cannot simply abandon the PHI data or dispose of it using a public container like a dumpster that can be accessed by unauthorized personnel. The only time this is appropriate is if the PHI has already been rendered unreadable, indecipherable and otherwise cannot be reconstructed. In order to fully destroy this data, certain steps must be followed.
The HIPAA Privacy Rule requires the covered entity to implement appropriate physical (e.g., facility access and control; workstation and device security), technical (e.g., access control; audit controls; integrity controls; transmission security), and administrative (e.g., security management process; security personnel; information access management; workforce training; policy and procedure evaluation) safeguards for PHI to avoid prohibited as well as incidental use and disclosure of the PHI data. See 45 CFR 164.530(c).
This Rule holds especially true with the disposal of PHI and requires the covered entity to not only destroy the electronic PHI (ePHI) and the hardware or electronic media it is stored on, but to first properly dispose of the ePHI data on the media before that media is made ready for reuse.
In addition, the HIPAA Security Rule also requires the covered entity to set policies and procedures for the disposal of ePHI. As part of this mandatory safeguard process, covered entities must also train their workforce members on the proper disposal policies and procedures erected and enforce these policies. See 45 CFR 164.310(d)(2)(i).
It is up to the covered entity to determine a method of data destruction and disposal, by assessing their own potential risks to patient privacy as well as the form, type, and amount of PHI collected and stored. For instance, PHI such as name, social security number, driver’s license number, diagnosis, or treatment information are examples of sensitive information that may necessitate more care with regard to disposal. HIPAA does not require one method of data destruction and disposal over another, so long as the Security and Privacy Rules are followed.
In the case of ePHI, whether on hardware or in an internet cloud system, proper HIPAA disposal methods include overwriting non-sensitive information with software or hardware to clear the data, degaussing the media and rendering the magnetic field permanently unusable, or destroying the media by shredding, melting, pulverization, disintegration, or incineration. You may also opt to maintain a secure area for PHI disposal and/or you are permitted to work with a disposal vendor like SEM to destroy the PHI on your organization’s behalf (so long as there is a written agreement or contract authorized by both parties). There are no set HIPAA rules for how employees or workforce members dispose of PHI; if you have off-site employees who use PHI or ePHI, you can require that they return all PHI to your organization for proper disposal.
Failure to adhere to the HIPAA Security and Privacy Rules could result in unlawful release of PHI, and consequently, the potential for identity theft, employment discrimination or even harm to the individual’s reputation.Moreover, the covered entity can face serious penalties for noncompliance.
Penalties for Noncompliance
In tandem with the Department of Justice, the Department of Health and Human Services (HHS) and its Office for Civil Rights (OCR) are responsible for the administration and enforcement of the HIPAA Security and Privacy Rules for the disposal of PHI.
Failure to comply with the HIPAA Security and Privacy Rules can result in an investigation and audit, and in some circumstances civil and criminal penalties. Factors such as violation date, whether the covered entity was aware of the failure to comply, or whether the failure to comply by the covered entity was willful neglect will determine the end consequence of the violation to either the Privacy or Security Rule.
If found guilty or in violation of either Rule, civil money penalties of $100 up to $50,000 per violation (and not exceeding $1,500,000 per calendar year for multiple violations) can be imposed. A civil penalty may not be imposed under certain circumstances, such as: the failure to comply was not due to willful neglect and was corrected during a 30-day period from the date in which the violation occurred; if the Department of Justice has imposed a criminal penalty; or, if the OCR chooses to reduce the penalty due to reasonable cause in the covered entity’s failure to comply, in that the penalty would be excessive given the nature and extent of the noncompliance.
In addition, criminal prosecution, in the form of a fine of $50,000 and up to one year of imprisonment, can be mandated for a person who knowingly obtains or discloses PHI and ePHI, which can occur as a result of improper disposal of the PHI. The criminal penalty increases to $100,000 and up to five years of imprisonment if the violation involves false pretenses, and to $250,000 and up to 10 years of imprisonment if the wrongful act involves the intent to sell, transfer or use the PHI for commercial advantage, personal gain, or malicious harm.
One last note: the HIPAA Privacy Rule does not include requirements for the length of time medical data like PHI should be retained before disposal. Instead, check with your state’s laws for medical record retention rules before disposing of any data.
HIPAA is an acronym for Health Insurance Portability Accountability Act which was enacted in 1996. It requires the Secretary of the U.S. Department of Health and Human Services to develop regulations protecting the privacy and security of certain health information.
The HIPAA law applies to anyone that has visited any health care facility, basically everyone. Before the law was enacted, the fates of our medical records were left in the hands of the health care professionals. Some disposed of them properly but some just threw them into the dumpster. As with our old credit card statements and other mail or personal information, once they are thrown in the dumpster they are community property and anyone can have access to them.
Your Health Information Is Protected By Federal Law
Most of the population believes that medical and health information is private and should be protected, and want to know who has access to this information. The Privacy Rule, a Federal law, gives you rights over your health information and sets rules and limits on who can look at and receive your health information. The Privacy Rule applies to all forms of individuals’ protected health information, whether electronic, written, or oral. The Security Rule, a Federal law that protects health information in electronic form, requires entities covered by HIPAA to ensure that electronic protected health information is secure.
How Our Information Is Treated and Disposed Of
The HIPAA Privacy Rule requires that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information (PHI), in any form. This means that covered entities must implement reasonable safeguards to limit incidental, and avoid prohibited, uses and disclosures of PHI, including in connection with the disposal of such information. In addition, the HIPAA Security Rule requires that covered entities implement policies and procedures to address the final disposition of electronic PHI and/or the hardware or electronic media on which it is stored, as well as to implement procedures for removal of electronic PHI from electronic media before the media are made available for re-use. Failing to implement reasonable safeguards to protect PHI in connection with disposal could result in impermissible disclosures of PHI.
Further, covered entities must ensure that their workforce members receive training on and follow the disposal policies and procedures of the covered entity, as necessary and appropriate for each workforce member. Therefore, any workforce member involved in disposing of PHI, or who supervises others who dispose of PHI, must receive training on disposal. This includes any volunteers.
Thus, covered entities are not permitted to simply abandon PHI or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons. However, the Privacy and Security Rules do not require a particular disposal method. Covered entities must review their own circumstances to determine what steps are reasonable to safeguard PHI through disposal, and develop and implement policies and procedures to carry out those steps. In determining what is reasonable, covered entities should assess potential risks to patient privacy, as well as consider such issues as the form, type, and amount of PHI to be disposed. For instance, the disposal of certain types of PHI such as name, social security number, driver’s license number, debit or credit card number, diagnosis, treatment information, or other sensitive information may warrant more care due to the risk that inappropriate access to this information may result in identity theft, employment or other discrimination, or harm to an individual’s reputation.
In general, examples of proper disposal methods may include, but are not limited to:
For PHI in paper records, shredding, burning, pulping, or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed.
Maintaining labeled prescription bottles and other PHI in opaque bags in a secure area and using a disposal vendor as a business associate to pick up and shred or otherwise destroy the PHI.
In addition, for practical information on how to handle sanitization of PHI throughout the information life cycle, readers may consult NIST SP 800-88. Guidelines for Media Sanitization
Destruction of media is the ultimate form of sanitization. After media is destroyed, it cannot be reused as originally intended. Physical destruction can be accomplished using a variety of methods, including disintegration, incineration, pulverizing, shredding, and melting.
If destruction is decided upon due to the high security categorization of the information or due to environmental factors, any residual medium should be able to withstand a laboratory attack.
Disintegration, incineration, pulverization, and melting: these sanitization methods are designed to completely destroy the media. They are typically carried out at an outsourced metal destruction or incineration facility with the specific capabilities to perform these activities effectively, securely, and safely. End-of-life data destruction machines can also be purchased to destroy the material on site.
Shredding: paper shredders can be used to destroy paper and in some models, flexible media such as diskettes once the media are physically removed from their outer containers. The shred size of the refuse should be small enough that there is reasonable assurance in proportion to the data confidentiality level that the information cannot be reconstructed.
Optical mass storage media, including compact disks (CD, CD-RW, CD-R, CD-ROM), optical disks (DVD), Blue-ray Discs (BDs) and magneto-optic (MO) disks must be destroyed by pulverizing, crosscut shredding or burning. Destruction of media should be conducted only by trained and authorized personnel. Safety, hazmat, and special disposition needs should be identified and addressed prior to conducting any media destruction.
Enforcement and Penalties for Noncompliance
The Department of Health and Human Services, Office for Civil Rights (OCR) is responsible for administering and enforcing the standards and may conduct complaint investigations and compliance reviews.
The OCR will seek the cooperation of covered entities and may provide technical assistance to help them comply voluntarily with the Privacy Rule. Covered entities that fail to comply voluntarily with the standards may be subject to civil money penalties. In addition, certain violations of the Privacy Rule may be subject to criminal prosecution.
Civil Money Penalties
OCR may impose a penalty on a covered entity for a failure to comply with a requirement of the Privacy Rule. Penalties will vary significantly depending on factors such as the date of the violation, whether the covered entity knew or should have known of the failure to comply, or whether the covered entity’s failure to comply was due to willful neglect. Penalties may not exceed a calendar year cap for multiple violations of the same requirement. Criminal Penalties A person who knowingly obtains or discloses individually identifiable health information in violation of the Privacy Rule may face a criminal penalty of up to $50,000 and up to one-year imprisonment. The criminal penalties increase to $100,000 and up to five years imprisonment if the wrongful conduct involves false pretenses, and to $250,000 and up to 10 years imprisonment if the wrongful conduct involves the intent to sell, transfer, or use identifiable health information for commercial advantage, personal gain or malicious harm. The Department of Justice is responsible for criminal prosecutions under the Privacy Rule.
HIPAA covers a broad area of responsibilities. We are all involved in this as we all have our personal records out of our personal control and in such are subject to having our personal information compromised. To understand HIPAA is to understand the relationship between the importance of our PHI and our health care providers and the realization that somebody could potentially obtain our information if the proper safeguards are not adhered to. HIPAA sets these guidelines to protect everybody.