Lab Manager | Run Your Lab Like a Business

Laboratory Technology

How to Securely Remove Data from Lab Instruments

How to Securely Remove Data from Lab Instruments

When disposing of old electronic lab equipment, how can you be sure all sensitive data has been securely removed?

Melanie J. Haga

Lab managers have a lot to worry about—budgets, deadlines, safety, accuracy, conflicts—he list goes on and on. Being responsible for an entire team is daunting, so worrying about your lab equipment should not have to be a concern, especially once you have disposed of it. 

Unfortunately, it is a concern, and a big one.

Lab equipment— smaller, smarter, and full of information

Technical devices, test and monitoring equipment, and office equipment are the backbone of every laboratory. Managing a lab without them is practically impossible. Because technology is constantly evolving, those devices have become more powerful, smarter, and smaller, which makes it easier for employees to automate tasks, store and retrieve data, and provide a customized experience. From testing equipment to office machines, the functionality of these devices is contained on tiny circuitry. Most times, so is personal data, correspondence, passwords, billing information, accounting records, network information, scanned document images, and other sensitive information.  

Securing your data

While most facilities are careful with their equipment and data security while their electronic devices are in use, there is still a gap in knowledge about proper disposal of laboratory devices and other electronic equipment. Data security is a major issue and top of mind for both consumers and enterprises while equipment is in use, but businesses, laboratories, and educational facilities face a huge challenge when disposing of old electronic equipment. All sensitive data must be securely removed before recycling, reusing, or reselling. Knowing how to destroy that data, and if it’s been done correctly, is the challenge.

Laboratory managers may feel safe knowing that physical records are being shredded and they have security systems in place for thefts, but the client data, research, and other information that resides in an obsolete device remains intact as long as that equipment can still be taken apart and accessed. That includes imaging equipment, scanning devices, test equipment, personal medical devices, personal equipment, computers, servers, tablets, printers, copiers, fax machines, mobile phones, portable hard drives, CDs, and back up devices. 

Simply sending obsolete equipment to a recycler feels like it should be enough to ward off the worry of a data security breach, but is it? Most recyclers claim to wipe all of their customer’s important data before it is resold or reused. The problem is, sometimes, it’s not.

The nightmare of mistakes

According to the 2018 Cost of a Data Breach Study conducted by the Ponemon Institute and IBM Security, the average cost of a data breach of up to 100,000 records is approximately $3.86 million. News about cyber hacks isn’t an uncommon occurrence. Less common, but sometimes just as damaging, are stories about laboratory and office equipment being sold with the prior owner’s data still present. 

In 2010, photocopiers that were used to copy sensitive medical information were sent to be re-sold without wiping the hard drives. Three hundred pages of individual medical records, containing drug prescription and blood test results, were still on the hard drive of the copiers sitting in a warehouse for resale. The US Department of Health and Human Services settled with the original owner of the copiers for HIPAA violations to the tune of $1,215,780.

Following this news, CBS News purchased two photo copiers from an office equipment reseller, and discovered that the copiers were still loaded with confidential documents from its original owner—a Buffalo, NY police department. 

In 2015, a computer at Loyola University containing names, social security numbers, and financial information for 5,800 students was disposed of before the hard drive was wiped.

One of the biggest points of impact that a data breach can affect is a loss of your customer, account, or employee’s trust. If trust is broken at one facility, you run the risk of a major loss of business. Even a small lab can face fines, lawsuits, and bad press if data gets released or lost.

Recycling and the environment

Currently, 25 states require that all devices with electronic circuitry be recycled by qualified electronic recyclers and not end up in a landfill. In addition to the potential problem of a data breach, the fines for improper disposal of electronic equipment are huge. According to a 2018 article in E-scrap News, The Home Depot was fined $28 million for improper disposal of batteries. Comcast has agreed to pay California $25 million for improper disposal of mainly electronic waste. 

In 2015, the nonprofit group, Basel Action Network (BAN) investigated electronic waste recyclers by embedding GPS trackers in devices left at recycling companies. Some of those secret devices, still inside equipment with personal data on them, got stored in warehouses, then made their way overseas for improper dismantling and smelting. While this may seem like a somewhat secure outcome from a data security perspective, environmentally, it is a very poor option. 

Electronic waste contains mercury, lead, cadmium, polybrominated flame retardants, barium, and lithium, while the plastic casings contain polyvinyl chloride. The health effects of electronic waste being melted down in China and India, where it is often sent by recyclers, is birth defects, and damage to the brain, heart, liver, kidneys, nervous system, and reproductive system.

Recyclers —are they helping you sleep better?

According to the United Nations, the world produces as much as 50 million tons of electronic waste (equivalent to about six  Egyptian pyramids). It’s estimated that by years’ end that number will grow to more than 57 million tons. Many electronic recyclers try to recoup the value of electronic waste by improperly salvaging parts and selling them outside of contracted terms. Often, recyclers will merely “delete” data rather than erasing or overwriting it, raising the possibility that a hacker could recover proprietary company data. In 2019, financial institution Morgan Stanley hired a vendor to scrub devices from two data centers that closed in 2016, but the vendor had left some client data on the devices. Some of those servers and hardware are now missing.

So, how do lab managers avoid waking up at 3 am, worrying about the equipment they just discarded? No matter what your reason for wanting to destroy your electronic devices, you need to meet two primary objectives:

1. Your product is destroyed in such a manner that it can never be reused or identified as coming from your organization.
2. The resulting materials from the destruction process be disposed of in an environmentally appropriate and regulatory compliant manner.

Full de-manufacturing and destruction of obsolete and defective devices protects you, your business, and your accounts. 

Choosing a vendor for device destruction

De-manufacturing of your devices accomplishes three important destruction objectives:

1. The circuit boards are removed for specialized handling, shredding, and recycling.

2. Batteries are removed for separate environmentally required recycling.

3. Other materials such as plastics and metals are separated for further specialized recycling.

Shredding the circuit boards assures that nothing short of a laboratory-based reconstruction effort could ever recover your proprietary information. Shredding should be performed in a highly secure environment. The shredded particles should then be sent to precious metal refining facilities where the shredded material is smelted and the valuable metals recovered. By using a US EPA Universal Waste Destination facility for Electronics this recycling process assures you that all proprietary information is destroyed.

When choosing an electronic waste disposal vendor, look for one that is a Federal EPA licensed facility, ISO 9001,14001, and 45001 certified and R2 (Responsible Recycling) certified. They should provide you with detailed certificates of destruction for all devices, by serial number. Compliance documentation, including secure tracking information should be available to you 24/7/365 as well.

By performing vendor due diligence to ensure that your devices are properly de-manufactured and destroyed, you will eliminate the unauthorized and uncontrolled re-marketing of your devices, destroy all sensitive data that may be on the circuitry, and comply with all regulatory and industry environmental standards for disposal. 

This isn’t going to guarantee a good night of rest, but it will give you one less thing to worry about.