The Insecurity of Everything: The Vital Importance of Hardware Data Security
1st Talk Compliance features guest John Shegerian, Chairman and CEO of ERI, the largest cybersecurity-focused hardware destruction and electronic waste recycling company in the United States and co-author of the cybersecurity book, “The Insecurity of Everything” on the topic of “The Insecurity of Everything: The Vital Importance of Hardware Data Security.” He will share some of the latest information about the very real problem of hardware hacking in the world of healthcare and beyond and how that issue became even more serious during the pandemic, with so many people working from home. He will also be explaining critical information for health-related businesses to help them keep their private data – and the data of their patients and customers – protected!
Subscribe: Amazon Music | Email | RSS | More
Catherine Short: 0:01
Welcome, and let’s 1st Talk Compliance. I’m Catherine Short, Manager of Virtual Education at First Healthcare Compliance. Thanks for tuning in. This show is brought to you by First Healthcare Compliance as part of our commitment to provide high quality complementary educational resources. We help create confidence among compliance professionals throughout the United States. Please show your support by taking a moment to provide a review on Google, Facebook or iTunes. You can also follow us on Instagram, Twitter, and subscribe to our YouTube channel.
On today’s episode, we are speaking with John Shegerian, Chairman and CEO of ERI, the largest cybersecurity-focused hardware destruction and electronic waste recycling company in the United States.
John is the co-author of the cybersecurity book “The insecurity of everything”, and today, we will be discussing the insecurity of everything: how hardware data security is becoming the most important topic in the world. He will share some of the latest information about the very real problem of hardware hacking in the world of healthcare and beyond, and how that issue is becoming even more serious during the pandemic with so many people working from home. We will also be talking about critical information for health related businesses to help keep them and their private data and the data of their patients and customers protected.
Before we begin, I would like to mention at First Healthcare Compliance, we strive to serve as a trusted resource for compliance professionals and every month we celebrate their hard work and dedication with our compliance Super Ninja recognition.
For this episode, we’re spotlighting Super Ninja Julie Garcia, business office manager at Coastal Vascular Center. Julie says “Coastal Vascular Center has three office locations, and yet the whole group works as a team. They all respond well to the compliance updates and changes. I am fortunate to have such a close knit caring group of professionals to work with every day”.
Congratulations, Julie, our team is honored to have the privilege of working with you.
So John, thank you so much for being with us today on First Talk Compliance.
John Shegerian: 2:21
It’s totally my honor. Catherine, it’s great to be back with you here today.
Catherine Short: 2:24
Thank you. I’m glad to have you on today, too. So John, can you tell me, how serious is the problem of hardware hacking?
John Shegerian: 2:34
It’s very serious, Catherine, when I got into the recycling business 17 or 17 and a half years ago, e-waste was the fastest growing solid waste stream in the world. Fast forward 17 and a half, 18 years later, it’s now the fastest growing solid waste stream by an order of magnitude of five times. So our great innovation nation has created more gadgets that connect us. With Internet of Things and wearables and nest and ring and cars are now computers on wheels. The problem of e-waste is growing, which means the problem of hardware data protection and the issue of hardware data destruction when our old electronics come to their natural end of life has grown with it. It’s a massive problem and it’s something that we need to address.
Catherine Short: 3:28
And so what’s the biggest factor driving that need for efficient data destruction?
John Shegerian: 3:35
Right. As your listeners and constituents are typically in the healthcare agency or organization world, they know the legacy laws which still exist actually, such as HIPAA and Rick [INAUDIBLE] and [INAUDIBLE] still exists around data protection and constituency protection with regards to privacy. But, in May of 2018, we had of course, GDPR passed in the EU, which was protecting corporations having to protect the data of their clients or constituents. Americans started now taking hold and being informed by what the EU did post 2018 and now America is not only passing their own federal versions of GDPR but every state is also passing their own version of GDPR, which is all around privacy and data protection, which means these many more people out there hand in the pot to regulate this, which means there’s going to be more fines and more regulators overseeing the health care agencies across the United States that’s created. The risk level, the liability level has multiplied many times over. Hardware is connecting us more than ever before. So the risk level has increased and the regulatory level has increased which creates a perfect storm of having to really take this issue seriously now more than ever.
Catherine Short: 5:05
Okay, so how can people in this field learn more about sustainability practices and data protection in particular?
John Shegerian: 5:14
Think about this, how important is Shred-it or Iron Mountain to all of our lives, in the healthcare agencies in terms of shredding data that’s on paper? Now, think of all the electronics that you use on a daily basis, whether it’s your cell phones, personal or professional, your laptops, your tablets, your copier machines, your X ray machines, MRIs, everything that you touch that contains patient data is now covered by the laws the states are creating around privacy and data and the federal laws. If your constituents information is breach, and they tie it back to software breach, or on this discussion today, on a hardware hack or breach, you’re going to be held liable both by your constituents and patients who can sue you and will sue you, but also the local and state regulators and the federal regulators.
Catherine Short: 6:07
It kind of makes a person feel a little bit paralyzed when they think about is my electronic information being wiped, I think I’ve liked it clean, but maybe deep in the recesses, it’s not free of all my information and so should I just keep storing it all in the basement? How can a business find out if a recycler is certified, what types of certifications are necessary in terms of environmental compliance and feel safe?
John Shegerian: 6:36
It comes down to a couple things. Anyone can fake a website. Whoever is in charge at your organization, whether it’s a cybersecurity specialist or just a security specialist, whether it’s a CISO or Chief Technology Officer, or by the way, a Chief Sustainability Officer, because your healthcare agency or healthcare organization cannot be sustainable with regards to both software hacks and hardware hacks. Since websites can be tricked, what I highly recommend is two or three things. First of all, the right type of certifications and checking back with those certification agencies that the recycling company is part of that certifying body. For instance, on the environmental side, these two certifications that your clients and your listeners should be hearing about. One is called e-Stewards ban.org. The other one is called R2. R2 is under the brand of Siri, and that’s a different brand. Again, R2 certification and e-Stewards certification are the two most important certifications when it comes to environment. When it comes to data protection, the one that was created exactly for your listeners, was NAID. That was first created, national association of information destruction, was created to protect data that was on paper. That was originally created to regulate the data on paper that was going through organizations like Shred-it, and also Iron Mountain making sure they were doing it the right way. It now also covers certified and responsible hardware data destruction, so it covers both and you can find all NAID members at naidonline.org. Now, you also want to look on the websites of the recyclers you’re speaking with, or data destruction companies you’re speaking with to make sure they’re NAID certified. They can say they’re NAID certified but not truly be on the certification list. You could back check it by going to naidonline.org.
Catherine Short: 9:00
What about some electronic devices that can’t be recycled? Are there any on your list that can’t?
John Shegerian: 9:06
No. The truth is, all electronic devices when responsibly recycled can be turned back into the commodities and all those commodities can go back for beneficiaries. Zero waste, zero landfill, zero emissions. Everything we can handle. We can handle your old MRI Machine, your old Xray machine, your desktops, your laptops, copier machines, by the way, oh my god, you want to talk about a hidden goldmine of information for the cyber criminals, copier machine hard drives, have every copy that’s ever been made on that copy machine. Every copy is on that hard drive.
Catherine Short: 9:40
I think about copier machines all the time. I think about oh my gosh, yeah.
John Shegerian 9:45
A lot of people don’t, and then it gets in the wrong people’s hands. It’s literally a goldmine for cybercriminals so please, everything that your patients or clients information is going through: copier machines, fax machines , MRIs, X ray, cell phones, anything you’re touching and using where patients information is flowing through, has to be responsibly destroyed when they come to end of life. So just pick a responsible recycler. We’re just one of many across America and there’s lots of good ones, but don’t let it go. Do not, under any circumstances, allow someone to pick up your old electronics from your healthcare agencies and say they’re doing it for free. Free is literally a four letter word for the word Sham. Free does not exist. Just like free doctors don’t exist, free nurses don’t exist, free lawyers don’t exist, free accountants don’t exist, Free recycling, legitimate, responsible recycling does not exist on this planet today.
Catherine Short: 10:47
Copiers are an interesting story, though, because for most businesses who have these large copying machines, they’re almost always leased. So it’s not like they’re owning them, and then having them destroyed after. They’re going back to whatever business had leased them. That always makes me feel nervous, because then they’re going back to whatever company they leased them from. I assume that they have some kind of contract that says their information is being destroyed. But I don’t know, what are your thoughts on that?
John Shegerian: 11:17
Catherine, you’d be shocked unless you put a special rider into that contract, in many cases, the leasing company dumps these things onto an open market, loads them on to basically containers, where they’re sold overseas and secondary and tertiary market. Here’s what I’ll tell you, the dirty little secret of the E-waste industry, the Homeland Security and the DOJ and FBI are all clients of ours and have sat us down in our offices as executives of ERI and told us that in 2001, 2002, 2003, 2004,2005,2006 and 2007 even, the folks that were buying these old electronics off of our shores, wanted to mine the gold, the silver and the other precious metals that would contain they’re in. Now the people buying our old electronics off our shores in 2022 and beyond, in many cases, not all, but in many cases, are just buying the old electronics, pulling the hard drives, to try to do corporate espionage or breach our homeland security in America, depending on where the electronics came from, and then disposing of the carcass of the rest of the machinery into the ocean, into the desert, or they’re just simply burning them. It’s very dangerous to think that a leasing company is going to act responsibly without dictating, legally dictating in a rider to your contract, how they have to handle it and having them counter sign that in the contract. Catherine, you make a great point, this goes for rental, this goes for leased cars that are now downloading our information on the hardware of a leased car has your own information. The same thing with leased equipment that’s in a hospital or healthcare agency that does go back to the leasing company. They have no requirement to destroy that information responsibly, unless you dictate it in a legal and binding rider to your contract.
Catherine Short: 13:14
Okay, how do you propose to do that?
John Shegerian: 13:18
Well, we deal with leasing agents all the time that are doing the right thing, but only because they’re told to. So to me, you’re the CISO, or CTO, or Security Expert, or Chief Sustainability Officer from the healthcare agencies that are listening to this podcast today, every healthcare organization we deal with, and financial organization, have different people in charge of the hardware. So I’m just giving four or five examples of who can be in control of the hardware. Those people have to be shown or have to be shared the information we’re talking about today, that the dangers that are lurking within old hardware and electronics are potentially catastrophic, and that the contract should now be adjusted. This is a big shift in the industry. We have these conversations every day with our client base and it’s a growing issue because what happens then, is when agencies or healthcare organizations or other at risk organizations are lackadaisical in their approach, they start finding themselves in problems with their cybersecurity insurance contracts, which require them to take care of all these issues and if they found out they left holes open, or they haven’t taken care, it could also affect your insurance coverage in the cybersecurity and data breach sector.
Catherine Short: 14:41
True, true.
So if you’re just tuning in, you’re listening to 1st Talk Compliance brought to you by First Healthcare Compliance as part of our commitment to provide high quality complimentary educational resources. We help create confidence among compliance professionals throughout the United States. My guest today is John Shegerian Chairman and CEO of ERI, the largest cybersecurity-focused hardware destruction and electronic waste recycling company in the United States, and co author of the cybersecurity book, “The insecurity of everything”, on the topic of “The insecurity of everything: The vital importance of hardware data security”. Please show your support by taking a few minutes to provide a review of First Healthcare Compliance on Google or Facebook. You can also find us on all other social media.
Okay, well, we have had a huge change in the world, obviously. We’ve had this COVID 19 pandemic continuing on. How has that changed the cybersecurity landscape and in your world, and in our world here with hardware hacking, and with everything going on with with you all and hence for us?
John Shegerian: 16:01
Yeah, that’s a great question. The quiet behind the scenes change that we saw was very evident to all of us, there was a work from home movement, because we were all on lockdown throughout 2020, and a good part of even 2021. People got used to working from home and actually liked it, and that’s okay. But what we saw that wasn’t okay and that greatly affected of the data sphere and the data breaches section that we focus on with our clients and potential clients is that once people work from home, because of different factors in a home, time crunches, children, spouses, your personal hardware that you use for your own life, started getting contaminated with your professional information and your professional hardware, also then started getting contaminated with your personal because sometimes you’re supposed to get on a zoom call, and your laptop takes a poop or is no longer available, you get on to your desktop, who belongs to somebody else in the household, your son, your daughter, or some other family member and all of a sudden you’re doing the Zoom call from that desktop and that data that was supposed to be on your hardware is now on your children’s hardware and vice versa. You’re supposed to get on a personal call, and you end up on your professional laptop and before you know it, your personal information is on your professional hardware, and your professional information, and that includes your patients and clients, their information is on your personal hardware and what you need to do is follow, if it’s a good protocol, follow the protocol of the agency or healthcare organization you work for because in terms of the destruction of the data and destruction of the hardware for all of your equipment. You don’t want to be the cause of a data breach because your personal equipment you put up on Craigslist or eBay to sell, but your professional equipment got handled the way your healthcare organization requires you to. You got to treat it all as at risk once you work from home and there’s a cross contamination. People go, Ah, I’m not part of that my information is not getting cross contaminated. Listen, I’m the CEO of our company, and I have cross contamination on my hardware at home, as does my wife, as does my children who are both lawyers. My point is, this is not calling anybody out for carelessness, it’s just what happens after you’re at home for a long enough period, and you’re using your hardware and jumping from room to room. Different times, things break down, and all of a sudden, you’ll be shocked how much cross contamination really happens and if you’re lackadaisical with your own hardware, it could be catastrophic results in your professional career and life.
Catherine Short: 19:07
Right. How do we make recycling electronics successful to all the new teleworkers in a post Coronavirus workforce?
John Shegerian: 19:15
That’s a great question Catherine. It comes up all the time with clients or potential clients. We developed in 2012, for other purposes, for one of our clients requests, a box program. We have boxes from the size of a cell phone all the way up to a pallet size box, about 17 different sizes. We can ship those boxes to anyone’s home or office by the way, and they can fill them up at their own leisure and their own timeline and convenience with as much electronics as they have, print off a label, and then UPS or FedEx will pick them up from their doorstep and reverse logistics it back to one of our eight locations nationally. Now of course there’s an expense that comes to us, but just like doctors and lawyers and nurses and accountants and Investment bankers, and everyone else you pay a fee to, real responsible recycling costs money. It costs us over $100 million to build our infrastructure and all our technology to handle the United States and beyond, our international clients and their hardware data destruction and recycling needs. We have to pay for that infrastructure, just like doctors and nurses have to pay for their infrastructure. So we charge a fee and we make it convenient for everybody at home or in their office to just make recycling super simple. Press of a button, the boxes are delivered a day or two later, and they fill them up at their own convenience, and then UPS or FedEx take them back to us and all their information will go away.
Catherine Short: 20:45
Well, I have a question for you. What about when you get a new phone, you go to AT&T or Verizon or Apple or whatever and you know, it’s time to upgrade your phone and they say, okay, you’ve got to wipe your phone, and then you trade it in for a new phone. And they say, Okay, we’ll give you a discount on your phone and you trade in your old phone. And they say you have to wipe your old phone, and then you mail it into us and we have to make sure you wipe your data clean, etc. Are you actually wiping your data clean when you set it back to factory settings? Or is that kind of a lie? Are you not setting it back to factory settings? Is your information still in there?
John Shegerian: 21:26
Brilliant question. I don’t want to characterize it as a lie, but it’s a hopeful goal, that typically when you talk to the best hackers, and we have a lot of the great hackers that are white collar hackers that — how do I say this? white hat hackers, that know how to hack, but don’t do it for illegal purposes, they say it’s a hopeful goal that’s literally proven to fail 95% of the time. Most of us don’t know how to do it the right way, most of that information is recoverable, and again, none of them recommend it. I’m only leaning on, I’m erring on caution on advising you and your great listeners, I wouldn’t do that if you think you’re at risk, if you think you have information on your phone, or your tablet that you don’t want the bad guys to get. It’s like Oprah Winfrey’s old statement of years ago, about six or seven years ago, never text or email something that you don’t want to see on the cover of The New York Times. I believe that’s really true when it comes to the question you asked.
Catherine Short: 22:36
Interesting. All right. I mean, that’s what my suspicion was.
John Shegerian 22:40
You’re right. Your suspicion is absolutely correct.
Catherine Short: 22:44
Yeah. Okay. Well, I think that we’re coming up on the end of our time, do you have any other advice or thoughts that you wanted to leave with us today, there’s so many, so many things. But any other thoughts,
John Shegerian: 22:58
I want to leave everybody with a positive note. Responsible recycling of your old hardware is not difficult. There’s lots of great recyclers across this wonderful nation. You just have to make sure you do your homework. It’s become a bigger problem because of the technological revolution and because of the high turnover of electronics, and because we all want newer, better, faster, and that’s okay. But in our goal for newer, better, faster, let’s not overlook the dangers that lurk within. Just please responsible recycle everything that you have, that you don’t want any of that information to get out. Both professionally and personally, it will do you well, because A, you don’t want anything to happen to your career that you worked hard on and B you don’t want anything to happen to you own finances or legal issues within your own household. So just take extra care so nothing bad happens. It’s all possible to make it all go away because the technology exists with a company like mine, and many other good recyclers across this nation. There’s lots of ways to do it and all I just asked is for people to take a little extra time doing their homework, and they’ll have a great result.
Catherine Short:
Okay, wonderful.
John Shegerian:
And for all the listeners, thank you for listening. I want to make an offer. If you write to the email that Catherine Short is giving you, you can get a free copy of our book, The insecurity of everything. It will be mailed to you within a couple of weeks of your request. I’m happy to share this with you all as an education tool and I think you’ll get a lot out of it and it’ll be a great reference tool also to keep on your desk.
Catherine Short: 24:32
Okay, great. Thank you so much, John, I really appreciate you coming on today. So thank you so much for offering your expert advice for us today.
John Shegerian: 24:41
Absolutely. My pleasure. I’m happy to come back anytime Catherine and support your great organization.
Catherine Short: 24:46
Thank you. Thank you so much. I really, really appreciate it. Thank you and thanks to our audience as well for tuning in today to 1st Talk Compliance. You can learn more about the show on the program’s page on healthcarenowradio.com and then your voice to the conversation on Twitter @1sthcc or #1sttalkcompliance. You can also email me at catherineshort@1sthcc.com. I’m Catherine Short of First Healthcare Compliance. Remember, compliance is the key to achieving peace of mind.