Created by The Personal Computer Museum in Brantford, Ontario Canada, October 15, 2018 is National Clean Your Virtual Desktop Day. This nationally recognized day is of importance to professionals working in healthcare, as it affords us a reminder to follow HIPAA regulations.
HIPAA includes the Minimum Necessary Requirement, a part of the Privacy Rule, which enforces that Protected Health Information (PHI) should not be used or disclosed when not necessary for a particular job function. A key aspect that healthcare professionals also need to adhere is the requirement to remove that use or access if the PHI is no longer needed.
Cleaning your ‘virtual desktop’ is a great step in keeping compliance. Take a few minutes to critically evaluate the PHI you might have, or access to PHI you might have, and determine if it’s no longer needed or applies.
The less data you use, access or retain, the smaller overall risk footprint your facility or healthcare entity carries. Lowering risk is a win for everyone at your place of employment, especially your compliance and privacy offices!
There are a number of slightly hidden crevices in your computer where data is stored: the Recycle Bin, the Downloads folder, AppData folders where files are cached, My Documents folders, and more. Each of these areas has the potential to stockpile data, while often not immediately obvious to the user.
Be sure to know and follow any potential policies regarding data retention. Certain regulations may require keeping data or access logs or disclosure records for specified time frames. These caveats might pertain more to system administrators or information technology teams, but it’s always best to ask before destroying data.
When destroying data, it’s also important to follow guidelines on proper methods to ensure the data cannot be recovered successfully. This is similar to shredding physical documents, but when dealing with digital data the process is a bit more complex. Simply deleting data may not ensure secure deletion, and there is a substantial difference between the two.
Secure deletion is the process of overwriting the data, multiple times, with replacement 1s, 0s and random characters intentionally to prevent recovery. Deletion, however, is simply ear-marking the data on the drive as free space, to make room for new data when needed. Recovering regularly deleted data can be trivially easy, unfortunately, so it’s important to understand what methods are required before deletion.
In short, take a few moments to look at your data and your access, and consider what could be pared down or removed. Once you identify access or data that can be purged, follow your employer’s policies or procedures for destruction and logging, if applicable. And be sure to understand the proper methods for appropriate data destruction to meet requirements and standards.