Many hospital asset disposition vendors say they can ensure that all ePHI on all your devices is professionally removed without affecting its market value. ZRG Medical follows strict R2 Standards for data destruction. Ask your vendor if they adhere to the same R2 Standards ZRG Medical does?
1- Has the recycler incorporated the applicable requirements of NIST 800-88 or other generally accepted standard into its data destruction procedures?
2- Does the recycler adhere to the incorporated data destruction standards for all data bearing media?
3- Does the recycler document its data destruction procedures and include this documentation as part of its EHSMS?
4- Are instructions for the identification of media containing data and requiring sanitization included in the recycler’s EHSMS? [NIST 800-88 Section 4.2]
5- Do employees involved in data destruction receive appropriate training in data destruction processing?
6- Do employees involved in data destruction receive repeat training in data destruction processing on a regular basis?
7- Are employees involved in data destruction pre-qualified through an evaluation of competency prior to processing media for data destruction?
8- Are data destruction validation requirements and processes documented in the data destruction procedures as part of the EHSMS?
9- Are data destruction processes reviewed and validated by an independent party on a periodic basis as defined in the data destruction procedures?
10- Are quality controls for data destruction documented?
11- Are quality controls for data destruction effectively implemented and used?
12- Are quality controls for data destruction regularly monitored internally for effectiveness?
13- Has the level of sensitivity of data on media received at the facility been determined?
14- Are security controls for media containing data documented?
15- Are documented security controls for media containing data implemented?
16- Are security controls and procedures maintained and updated as changes occur in facility, personnel, or media sensitivity?
17- Are implemented security controls appropriate for the most sensitive classification of media accepted at the facility?
18- Do security controls consider physical security, monitoring, chain-of-custody, and personnel qualifications?
19- Are adequate records of data destruction maintained by the recycler and each downstream vendor conducting data destruction?
20- If data destruction is handled by a downstream vendor, does the R2:2013 electronics recycler maintain responsibility for data destruction?
21- If data destruction is handled by a downstream vendor, does the R2:2013 electronics recycler ensure appropriate security, controls, and processing techniques continue to conform to Provision 8 through audits or other similarly effective means?
22- If data destruction is handled by a downstream vendor, are media or devices containing media with data tracked and secured during transportation, storage, and processing?
23- If data destruction is handled by a downstream vendor, does each downstream vendor adhere to the requirements of Provision 8
Contact ZRG Medical today so we can help you through your data mitigation process for surplus equipment following our strict R2 Policies.