Depth and breadth, in the two places that matter, are critical in choosing the right IT Asset Disposition (ITAD) provider for your healthcare organization. Where are the two places that matter, you ask? In mitigating any risk of confidential information exposure, data security is where you need a crystal-clear understanding of the depth of your ITAD provider’s capabilities. As well, to reduce additional administrative burden and cost, make sure you evaluate your ITAD provider’s breadth of assets processed, so that you don’t need to set up and manage multiple partners performing the same services for different equipment in your organization.
Let’s dive into data security depth first. Data security is the top priority for any healthcare organization, from hospitals to primary care physicians, and everyone in between. With the availability of Electronic Health Records (EHR), also known as Electronic Medical Records (EMR), it has never been easier to share patient information from facility to facility. But this new change also makes it harder to protect the patient’s information under the Healthcare Insurance Portability and Accountability Act (HIPAA).
Under HIPAA, all patient healthcare records—including EHRs and paper forms—must be protected from theft or hacking. When consulting with IT Asset Disposition (ITAD) providers, your first concern should be their data protection and data destruction methods. Ask a series of questions that really drill down into how they can best protect you:
· Are all your data destruction methods following and staying compliant with all HIPAA, DoD, and NIST standards? If not, please explain the exceptions.
· Do you provide Certificates of Disposition? What’s the turnaround time?
Do your certificates include a comprehensive, serialized list of each asset received?
· Does that list also include the serial number of the data-bearing device (HDD, SSD, NVMe) inside the parent asset?
You might ask, why the serialization of the data-bearing device? Isn’t that overkill? If your organization is audited, your goal is to provide maximum assurance of confidential information protection. More and more, it’s no longer acceptable to simply demonstrate clear chain-of-custody records at the asset level. It’s imperative to prove that the actual data-bearing device, the hard drive as an example, was properly sanitized or destroyed. To provide this comfort, and to prove contiguous chain-of-custody, ITAD providers should tie that hard drive back to its parent laptop—the laptop, desktop, or server.
But laptops, desktops, servers, and other types of end user and data center equipment shouldn’t be all that you utilize your ITAD provider for. Not to be overlooked, printers, scanners, copiers, blood glucose machines, and even vital sign machines can contain patient information. All these devices need to be properly sanitized or destroyed in accordance with HIPAA regulations. Some of these assets may be equipped with a data-bearing device that needs to be removed and shredded for data security measures.
Likely, your organization has medical and lab equipment that also need to be properly dispositioned. To avoid having to onboard another provider for facilities equipment, explore the breadth of your ITAD provider’s processing capabilities before making a commitment. An ITAD provider with a dual specialty in the sanitization, refurbishment, and recycling of medical and lab equipment can provide additional convenience and efficiencies. Questions you can ask in order to understand an ITAD provider’s breadth include:
· Can you offer on-site and off-site shredding for employee ID badges, pagers, etc.?
· Do you have a specific process for handling respiratory ventilators, defibrillators, ESUs, SEMs, and other medical/lab equipment? Please describe in detail how you would process an ESU?
· How do you guarantee that you will remove data-bearing devices from non-client equipment such as blood glucose machines and MRI equipment?
At Sprout, we partner with healthcare organizations to pack, transport, data-sanitize, refurbish, and recycle a wide range of equipment, including:
- Mobile devices
- Pagers
- Desktop and laptop equipment
- Copiers and printers
- TVs and monitors
- IV pumps
- Defibrillators
- EKG machines
- MRI, ultrasound, and x-ray machines
- Lab testing equipment
- And more (just ask)
For more information about Sprout, please visit our website: www.sproutup.com