Updated: Sep 14, 2020
Very few industries are subject to the level of data security threats that the healthcare field must navigate on a daily basis. Here are our recommendations for finding and sourcing an ITAD company for your retired hardware.
Healthcare institutions compile vast amounts of personal data on patients including medical histories, social security numbers, credit card information, etc. The computers, servers and other electronic devices that hold this data are constantly at risk of cyberattacks and data leaks. The risks do not diminish even after these devices have been decommissioned and discarded. A data-bearing device could still end up in the wrong hands and compromise confidential information.
There are many laws and regulations in place to ensure responsible handling of electronic personal health information (e-PHI) by healthcare providers. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is the most relevant when it comes to ensuring data security in end-of-life devices that are handled by ITAD firms. HIPAA-compliant healthcare providers are required to “ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit” and “identify and protect against reasonably anticipated, impermissible uses or disclosures” 1. HIPAA also stipulates that healthcare providers must perform risk assessments and implement required administrative, physical and technical safeguards in the handling of e-PHI. Non-compliance can be costly. Penalties can range from $100 to $50,000 per violation – the loss of a laptop containing records of 500 individuals may constitute 500 violations. Violations can also carry criminal charges that can result in jail time 2.
Here are some of our recommendations for managing e-PHI risk when it comes to your IT Asset Disposition (ITAD) partner:
The Business Associate Agreement
Healthcare organizations are required to have a current HIPAA business associate agreement (BAA) in place with each of their partners, including their ITAD partner. The BAA legally binds the ITAD partner to destroy all the e-PHI that is handled, to safeguard the data from misuse and to help the healthcare organization maintain HIPAA compliance 3. Healthcare organizations working with an ITAD partner without a BAA will be found non-compliant in an Office of Civil Rights (OCR) audit and could be punished. Healthcare organizations must also review and update their ITAD partner’s security policy. This policy should be reviewed yearly and cover all data storage devices likely to contain PHI 4.
ITAD Partner Certifications and Standards
The following certifications and standards can help pick the right ITAD partner 5:
e-Stewards or R2: Both R2 and e-Stewards certified electronics recyclers have demonstrated through audits and other means that they continually meet specific high environmental standards and safely manage used electronics. Once certified, continual oversight by the independent accredited certifying body holds the recycler to the particular standard 6.
ISO 9001: This standard addresses the fundamentals of quality management systems based on seven quality management principles.
ISO 14001: This family of standards is related to environmental management. It helps organizations minimize their negative impact on the environment and comply with applicable laws, regulations, and requirements.
ISO 27001: Requires that a company implements and maintains an Information Security Management System (ISMS) that ensures adequate security controls and processes are in place to protect sensitive information.
OHSAS 18001: Helps organizations monitor and improve occupational health and safety performance.
NIST 800-88: This standard provides guidance to assist organizations in making sanitization decisions to ensure the confidentiality of their information.
Chain-of-Custody and Certificate of Destruction
ITAD partners must maintain fully documented chain-of-custody for all data-bearing devices that they handle. This documentation needs to include custody transfers to subcontractors all the way down the supply chain until the electronic equipment has been destroyed or wiped and is no longer considered e-PHI 7. ITAD partners must also provide certificates of destruction (container device serial numbers) for each data-bearing device that the company destroys or data wipes. Both chain-of-custody and certificates of destruction must be available for review by the healthcare org at short notice.
Ideally, the ITAD partner would make this information available in real-time. Healthcare organizations should have real-time access to the aforementioned certificates of destruction, chain-of-custody, captured serial numbers, and other device information, photos of received pallets and assets, etc. Having this data available in real-time allows for complete transparency between the healthcare org and the ITAD partner. This will also allow for easier audits for the healthcare org.
When choosing an ITAD provider for your healthcare organization, you should consider a partner that uses tamper-proof, secure containers that are made of metal and have a locking mechanism to keep those assets from being removed. Logistics is considered one of the most high-risk areas for ITAD and should be thoroughly thought out and agreed upon by the healthcare org and the ITAD partner. Logistics services to consider would include company-employed drivers, tamper-proof bar-coded seals on containers and trailers, GPS tracking units on containers and trailers, and in some circumstances, security teams that travel with the transport. It is highly recommended NOT to use a logistics company that will off-load your assets at a hub and either leave them overnight or cross-dock the containers as this delays your assets being processed but also gives access to those assets to other parties at that hub.