Cyber Security and Disposing of Equipment
The digital equipment we use every day captures and stores electronic PHI (aka E-PHI or PII). So, when we replace a cell phone, copier, computer, USB drive or other removable media, we must remember to "wipe" clean the equipment or device before it's handed off to someone.
Posted in Data Breach on Thursday, January 31, 2019
When it comes time to replace equipment, cell phone, copiers, computers, USB drives and other removable media, remember to "wipe" all the personal health information contained within them before handing them off.
This includes giving devices to employees or organizations that accept donated computers or cell phones or make them available at a reduced price.
The process of wiping the devices or tools clean is called “decommissioning” them. The decommissioning takes place prior to disposal and should include:
- Confirming the device or tool is thoroughly erased and securely destroyed or recycled
- Maintaining a list of devices/tools which are decommissioned, when and how and by whom
- If the decommissioning is taking place away from your premise, indicate when the device was last used and when it left your control
- If a commercial organization is decommissioning the device/tools:
- Request a certificate of destruction
- Certificate should list:
- Manufacturer name of item, model and serial number
- Method of destruction
- Media type
- Verification of destruction
In July, HHS issued the following reminder regarding disposing of equipment. https://www.hhs.gov/sites/default/files/cybersecurity-newsletter-july-2018-Disposal.pdf .
You can find more detailed information from NIST at: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf