Depth and breadth, in the two places that matter, are critical in choosing the right IT Asset Disposition (ITAD) provider for your healthcare organization. Where are the two places that matter? In mitigating any risk of confidential information exposure, data security is where you need a crystal-clear understanding of the depth of your ITAD provider's capabilities. And to reduce administrative burden and cost, evaluate your ITAD provider's breadth of assets processed, so that you don't need to set up and manage multiple partners performing the same services for different equipment.
Data Security Depth
Data security is the top priority for any healthcare organization, from hospitals to primary care physicians, and everyone in between. With the availability of Electronic Health Records (EHR), also known as Electronic Medical Records (EMR), it has never been easier to share patient information from facility to facility. But this new change also makes it harder to protect patient information under the Healthcare Insurance Portability and Accountability Act (HIPAA).
Under HIPAA, all patient healthcare records — including EHRs and paper forms — must be protected from theft or hacking. When consulting with ITAD providers, your first concern should be their data protection and data destruction methods. Ask a series of questions that really drill down into how they can best protect you:
- Are all your data destruction methods following and staying compliant with all HIPAA, DoD, and NIST standards? If not, please explain the exceptions.
- Do you provide Certificates of Disposition? What's the turnaround time?
- Do your certificates include a comprehensive, serialized list of each asset received?
- Does that list also include the serial number of the data-bearing device (HDD, SSD, NVMe) inside the parent asset?
You might ask, why the serialization of the data-bearing device? If your organization is audited, your goal is to provide maximum assurance of confidential information protection. More and more, it's no longer acceptable to simply demonstrate clear chain-of-custody records at the asset level. It's imperative to prove that the actual data-bearing device — the hard drive, for example — was properly sanitized or destroyed. To provide this comfort and prove contiguous chain-of-custody, ITAD providers should tie that hard drive back to its parent laptop, desktop, or server.
But laptops, desktops, servers, and other end user and data center equipment shouldn't be all that you utilize your ITAD provider for. Printers, scanners, copiers, blood glucose machines, and even vital sign machines can contain patient information. All these devices need to be properly sanitized or destroyed in accordance with HIPAA regulations. Some may be equipped with a data-bearing device that needs to be removed and shredded for data security measures.
Breadth of Assets Processed
Likely, your organization also has medical and lab equipment that needs to be properly dispositioned. To avoid onboarding another provider for facilities equipment, explore the breadth of your ITAD provider's processing capabilities before making a commitment. An ITAD provider with a dual specialty in the sanitization, refurbishment, and recycling of medical and lab equipment can provide additional convenience and efficiencies. Questions to ask include:
- Can you offer on-site and off-site shredding for employee ID badges, pagers, etc.?
- Do you have a specific process for handling respiratory ventilators, defibrillators, ESUs, SEMs, and other medical/lab equipment? Please describe in detail how you would process an ESU.
- How do you guarantee that you will remove data-bearing devices from non-client equipment such as blood glucose machines and MRI equipment?
At Sprout, we partner with healthcare organizations to pack, transport, data-sanitize, refurbish, and recycle a wide range of equipment, including:
- Mobile devices
- Pagers
- Desktop and laptop equipment
- Copiers and printers
- TVs and monitors
- IV pumps
- Defibrillators
- EKG machines
- MRI, ultrasound, and x-ray machines
- Lab testing equipment
- And more (just ask)
