In their 2019 study, IBM and the Ponemon Institute found that it costs healthcare organizations an average of $429 for each lost or stolen record—over 104% higher than any other industry. According to the study, the total dollar amount lost from data breaches stems from investigations, lawsuits, regulatory filings, hiring of crisis communication firms, and negative impact on business and reputation.
To reduce the risk of a breach of data stored on end-of-life medical devices, the US Department of Health and Human Services (HHS) recommends organizations consider the following before disposal:
- What data is maintained by the organization and where is it stored?
- Is the organization’s data disposal plan up to date?
- Are all asset tags and corporate identifying marks removed?
- Have all asset recovery-controlled equipment and devices been identified and isolated?
- Is data destruction of the organization’s assets handled by a certified provider?
- Have the individuals handling the organization’s assets been subjected to workforce clearance processes and undergone appropriate training?
- Is onsite hard drive destruction required?
- What is the chain of custody?
- How is equipment staged/stored prior to transfer to external sources for disposal or destruction?
- What are the logistics and security controls in moving the equipment?
Decommissioning, the process of taking hardware or media out of service before disposal, also requires several steps, including:
- Ensuring devices and media are securely erased and then either securely destroyed or recycled.
- Ensuring that inventories are accurately updated to reflect the current status of decommissioned devices and media or devices and media slated to be decommissioned.
- Ensuring that data privacy is protected via proper migration to another system or total destruction of the data.
HIPAA Security Rule Policies and Procedures
To maintain data security, the HIPAA Security Rule requires all HIPAA covered businesses to implement specific policies and procedures when disposing or re-using devices with electronic protected health information (ePHI). When developing these procedures, HHS recommends:
- Determining and documenting the appropriate methods to dispose of hardware, software, and the data itself.
- Ensuring that ePHI is properly destroyed and cannot be recreated.
- Ensuring that ePHI previously stored on hardware or electronic media is securely removed such that it cannot be accessed and reused.
- Identifying removable media and their use (tapes, CDs/DVDs, USB thumb drives).
- Ensuring that ePHI is removed from reusable media before they are used to record new information.
Mistakes are inevitable and in the event that ePHI data is still present, using an asset disposition vendor who understands all state and federal security procedures will ensure that data will not be compromised. ZRG Medical follows all HIPAA compliance standards and keeps track of all devices we remove which can be seen through our online customer portal, eliminating all liabilities and doubts that your decommissioned medical equipment will be handled risk-free.
