10 critical steps in the safe disposal of data devices
OCR guidance urges organizations to take extreme care in decommissioning devices and memory media.
10 critical steps in the safe disposal of data devices
As healthcare organizations decommission information technology, they’re likely to contain patients’ financial or protected health information, and special care is needed in disposing of devices such as desktop and laptop computers, servers, tablets, hard drives, USB “thumb” drives, copiers or any electronic storage devices.
As a result, organizations need to take extreme care—and have a plan—for disposing of devices and storage media, says the Office for Civil Rights of the Department for Health and Human Services. In a recent cybersecurity newsletter, OCR laid out a roadmap to ensure secure disposal of media.
“Devices or media that need to replaced should be decommissioned and disposed of securely to ensure that either the devices or media are destroyed or any confidential or sensitive information stored on such devices or media has been removed,” the OCR guidance states.
Here are OCR’s recommendations for securely handling device and media decommissioning.
Know which data an organization maintains and where it’s stored
As healthcare organizations increasingly digitize records, it’s a challenge to know where information is stored. The task is complicated when information is retained on individuals’ computing devices, smartphones or portable storage media. Knowing where data is stored in part will also depend on policies what information can be retained on staff computing devices and storage media.
Make sure the data disposal plan is up to date
Decommissioning of equipment should follow the steps of an overarching plan, OCR says. Generally, the plan should encompass information preservation, media sanitation, and hardware or software disposal. A disposition plan can become dated, as technology changes—for example, USB sticks may have averaged 4 gigabytes of storage five years ago and were unable to contain significant information, but now, such sticks may hold 128 gigabytes of data and pose a threat to contain significant amounts of financial and protected health information; as a result, a plan must be updated to include disposition of USB devices.
Remove asset tags and corporate identifying marks
Whether information technology is decommissioned by the organization itself or an outside entity, outside markings on devices (in the form of stickers, decals or other forms of identification) may signal that a device could contain financial or protected health information, raising the risk that it may not be decommissioned according to the data disposal plan. Removing any identifying marks helps these devices “blend in” with others.
Identify and isolate all asset recovery-controlled equipment and devices
IT devices or memory media that serves a backup role for the organization should be identified and handled with particular care. That’s because these devices are likely to contain vast stores of corporate information from an organization; by contrast, an individual laptop might only contain information important to the individual who was using it.
Ensure outside entities handling data destruction are certified
When passing IT or memory devices to someone else for cleaning and destruction, provider organizations should ensure that they only deal with organizations that are certified for their practices. Such certifications include compliance with NIST standards, and those specified by HIPAA and HITECH, the Sarbanes-Oxley Act, the Gramm-Leach-Billey Act and others. Entities should be members of the National Association of Information Destruction and have AAA Certification for both mobile and plant-based operations.
Certify the individuals handling the organization’s data assets
Precautions to protect information can be compromised at the point where individuals take possession of devices to take them for decommissioning. Healthcare organizations must ensure that individuals vested with this responsibility can be completely trusted. All individuals handling the organization’s assets should be subjected to workforce clearance processes and undergo appropriate training, OCR says.
Understand the chain of custody for devices
A data destruction plan should designate the process for decommissioning and which departments or individuals are responsible for locating, gathering and ensuring that devices are rendered inoperable or destroyed.
Determine if hard drive destruction should occur onsite
Healthcare organizations can mitigate risks by determining whether device hard drives should be decommissioned within their walls first. A thorough process for these memory devices should involve more than deleting—at minimum, memory in devices should be overwritten and then destroyed to render them inoperable and unusable. Destruction typically involves disintegrating, burning, melting or pulverizing, but devices also can be rendered inoperable by pounding nails or drilling holes into hard drives.
Manage equipment that will be disposed of and destroyed offsite
Another weak link in data protection can be how devices and media are held before being transferred to an outside entity for disposition. Holding areas or containers should be secured so they cannot be accessed by anyone within an organization before disposition by a certified data destruction entity.
Ensure secure logistics and controls in moving equipment
Finally, if offsite destruction will be used, it’s important for healthcare organizations to make sure that they’ll be securely transported to that destination. All previous steps to protect these devices can be rendered useless if sloppy practices are used in this last step of transferring devices or media.
For more information
OCR’s guidance can be found here.
In addition, the agency's recommendations listed several references for healthcare executives who are managing the data protection/device destruction process. These include:
The Practices Guide for the disposition plan of HHS’ Enterprise Performance Life Cycle Framework, accessible here.
Disposing of Devices Safely, a paper from the U.S. Computer Emergency Readiness Team, which can be found here.
Media destruction guidance from the National Security Agency, accessible here.
HIPAA guidance on information disposal, which can be found here.