“This is the best insurance policy I could ever buy.”
Coming from a senior executive in one of the world’s largest managed health care organizations, that is high praise for Hitachi Data Systems and its partner, Revert Inc. Together, they delivered a highly scalable, reliable solution for the disposition of hard drives and other storage media that has insulated the customer from risk and saved millions of dollars in the process.
Protected Health Information (PHI) is inarguably the most sensitive, scrutinized and secured of all information in the digital age. From doctor’s office files to insurance company databases the checks and balances associated with protecting that information are, in a word, rigorous. The Health Insurance Portability and Privacy Act of 1996 (HIPAA), which has been revised and strengthened over the years, is the foundation of this rigor.
This has not always been the case. When it comes to large scale storage of PHI and other sensitive data, the differences between today’s security practices and those of just 10 years ago are simply night and day. Case in point. Like virtually all other large consumers of enterprise storage, one leading health insurance provider used to permit its storage vendors to simply swap a new hard disk drive (HDD) for one that failed and walk off with the problem HDD in hand. It was common practice.
In the context of a broad assessment of its information security practices this organization made the bold, and potentially costly, policy decision to retain and destroy all failed HDDs, and other storage media. The mandate was clear: from now on no storage media will ever leave the secure confines of our data centers, period.
For an organization with hundreds of thousands of spinning HDDs, this was a courageous decision. Security was paramount, but what to do with the thousands of failed drives that would be piling up year after year?
Working with their primary storage vendor, Hitachi Data Systems (now part of Hitachi Vantara), the company asked for a proposal to shred some 5,000 HDDs per year. The cost would have been substantial; in the tens of thousands of dollars. But, that cost was trivial compared to the cost of not returning those drives to the vendor intact. A cost that would run into the millions of dollars!
Fortunately, HDS had a partner in Revert Inc. whose stock-in-trade is securely eradicating HDDs on-site to the U.S. DOD 5220.22-M ECE standard so that – cleansed of data to the bit level – they could be safely returned to the service depot, thereby avoiding a cost per device exceeding $500. The economics were compelling.
The chief IT decision maker for the health insurer said simply: “This is the best insurance policy I could ever buy.” Not only because of the cost to value ratio of the service, but because the comprehensive documentation provided at service completion insulated the organization from substantial risk.
Since then the insurance policy has only gotten better. With the introduction of newer storage technologies such as solid state disks (SSDs) and Hitachi Accelerated Flash (HAF) Flash Module Drives (FMDs), the cost-benefit has dramatically improved. FMDs, for example, can cost $15,000 or more if not returned. Fortunately, Revert and HDS co-developed an eradication methodology and processes and procedures for FMDs – and their unique properties. Revert is HDS’ only certified co-provider in the secure disposition of these devices.
To put it all in perspective, the ROI on “saving” just 100 HDDs from the shredder can easily approach 10 times. Customers can enjoy a similar ROI with fewer than 10 FMDs.
As an alternative, some companies may choose to purchase a “disk retention option” approach. Essentially, this means that on the purchase of a large storage system they “pre-pay” for the disk drives or other storage devices that are expected to fail over the life of the maintenance contract. Similar economics apply, however, because they are simply paying in advance for the disk drives that will fail. Moreover, they are then faced with the additional cost of shredding and properly disposing of the drive remnants. It will always be more cost-effective to perform drive eradication.
The bottom line: while everyone knows that managing information security is a mandate that all modern organizations share these days, almost regardless of cost, it is good to know that when it comes to failed storage devices, security and cost-savings can go hand in hand.