Very few industries are subject to the level of data security threats that the healthcare field must navigate on a daily basis. Here are our recommendations for finding and sourcing an ITAD company for your retired hardware.
Healthcare institutions compile vast amounts of personal data on patients including medical histories, social security numbers, credit card information, and more. The computers, servers, and other electronic devices that hold this data are constantly at risk of cyberattacks and data leaks. The risks do not diminish even after these devices have been decommissioned and discarded — a data-bearing device could still end up in the wrong hands and compromise confidential information.
There are many laws and regulations in place to ensure responsible handling of electronic personal health information (e-PHI) by healthcare providers. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is the most relevant when it comes to ensuring data security in end-of-life devices handled by ITAD firms. HIPAA-compliant healthcare providers are required to ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain, or transmit, and to identify and protect against reasonably anticipated, impermissible uses or disclosures. HIPAA also stipulates that healthcare providers must perform risk assessments and implement required administrative, physical, and technical safeguards in the handling of e-PHI. Non-compliance can be costly — penalties can range from $100 to $50,000 per violation, and the loss of a laptop containing records of 500 individuals may constitute 500 violations. Violations can also carry criminal charges that can result in jail time.
Here are our recommendations for managing e-PHI risk when it comes to your ITAD partner.
Healthcare organizations are required to have a current HIPAA business associate agreement (BAA) in place with each of their partners, including their ITAD partner. The BAA legally binds the ITAD partner to destroy all e-PHI that is handled, to safeguard the data from misuse, and to help the healthcare organization maintain HIPAA compliance. Healthcare organizations working with an ITAD partner without a BAA will be found non-compliant in an Office of Civil Rights (OCR) audit and could be punished. Healthcare organizations must also review and update their ITAD partner's security policy on a yearly basis, covering all data storage devices likely to contain PHI.
The following certifications and standards can help you pick the right ITAD partner:
e-Stewards or R2
Both R2 and e-Stewards certified electronics recyclers have demonstrated through audits and other means that they continually meet specific high environmental standards and safely manage used electronics. Once certified, continual oversight by an independent accredited certifying body holds the recycler to the particular standard.
ISO 9001
Addresses the fundamentals of quality management systems based on seven quality management principles.
ISO 14001
Related to environmental management — helps organizations minimize their negative impact on the environment and comply with applicable laws, regulations, and requirements.
ISO 27001
Requires that a company implements and maintains an Information Security Management System (ISMS) that ensures adequate security controls and processes are in place to protect sensitive information.
OHSAS 18001
Helps organizations monitor and improve occupational health and safety performance.
NIST 800-88
Provides guidance to assist organizations in making sanitization decisions to ensure the confidentiality of their information.
ITAD partners must maintain fully documented chain-of-custody for all data-bearing devices that they handle. This documentation needs to include custody transfers to subcontractors all the way down the supply chain until the electronic equipment has been destroyed or wiped and is no longer considered e-PHI. ITAD partners must also provide certificates of destruction for each data-bearing device that the company destroys or data wipes. Both chain-of-custody and certificates of destruction must be available for review by the healthcare organization at short notice.
Ideally, the ITAD partner would make this information available in real time — including certificates of destruction, chain-of-custody, captured serial numbers, other device information, and photos of received pallets and assets. Having this data available in real time allows for complete transparency and will also make audits significantly easier for the healthcare organization.
When choosing an ITAD provider for your healthcare organization, you should consider a partner that uses tamper-proof, secure metal containers with a locking mechanism to keep assets from being removed. Logistics is considered one of the most high-risk areas for ITAD and should be thoroughly thought out and agreed upon by both parties. Logistics services to consider include company-employed drivers, tamper-proof bar-coded seals on containers and trailers, GPS tracking units on containers and trailers, and in some circumstances, security teams that travel with the transport.
It is highly recommended not to use a logistics company that will off-load your assets at a hub and either leave them overnight or cross-dock the containers — this not only delays processing but also gives access to those assets to other parties at that hub.