The United States Department of Health and Human Services issued guidance on how to properly dispose of electronic devices and media that may contain sensitive information in order to prevent a potential data breach.
Whether at a college, K-12 school or hospital, sensitive information like disciplinary or medical records is kept on electronic devices such as laptops, servers, hard drives and USB drives. Improper disposal of these devices can put an institution at risk for a data breach, which has shown to be extremely costly, especially as of late.
A recent study found it costs healthcare organizations an average of $408 for each lost or stolen record. Fines and fees associated with data breaches include investigations, regulatory filings, loss of business, negative impact on reputation and employee time spent on recovery, according to the study.
In order to reduce the risk of a breach of data stored on devices or media that has reached the end of its life, HHS recommends organizations consider the following before disposal:
- What data is maintained by the organization and where is it stored?
- Is the organization’s data disposal plan up to date?
- Are all asset tags and corporate identifying marks removed?
- Have all asset recovery-controlled equipment and devices been identified and isolated?
- Is data destruction of the organization’s assets handled by a certified provider?
- Have the individuals handling the organization’s assets been subjected to workforce clearance processes and undergone appropriate training?
- Is onsite hard drive destruction required?
- What is the chain of custody?
- How is equipment staged/stored prior to transfer to external sources for disposal or destruction?
- What are the logistics and security controls in moving the equipment?
Decommissioning, which is the process of taking hardware or media out of service prior to its final disposal, also requires several steps, including:
- Ensuring devices and media are securely erased and then either securely destroyed or recycled.
- Ensuring that inventories are accurately updated to reflect the current status of decommissioned devices and media or devices and media slated to be decommissioned.
- Ensuring that data privacy is protected via proper migration to another system or total destruction of the data.
HIPAA Security Rule Policies and Procedures
Pertaining specifically to the destruction and disposal of protected health information (PHI), the HIPAA Security Rule requires HIPAA-covered entities to implement specific policies and procedures. HHS recommends the following when developing these procedures:
- Determine and document the appropriate methods to dispose of hardware, software, and the data itself.
- Ensure that ePHI is properly destroyed and cannot be recreated.
- Ensure that ePHI previously stored on hardware or electronic media is securely removed such that it cannot be accessed and reused.
- Identify removable media and their use (tapes, CDs/DVDs, USB thumb drives).
- Ensure that ePHI is removed from reusable media before they are used to record new information.
For more information regarding the disposal of PHI, check out the Office for Civil Right’s Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals.
For additional materials regarding best practices for disposals and to read the full guidance letter, click here.
The post HHS: How to Properly Dispose of Electronic Devices with Sensitive Information appeared first on Campus Safety Magazine.