Stay hipaa compliant and mitigate risk with the right itad solution
Blogs and Articles
Improper disposal of IT assets at a healthcare organization introduces risks that can cause serious damage. Having the right ITAD solution can help.
Properly disposing of IT assets that have reached the end of their lifecycle is critical to ensuring your healthcare organization remains secure. Choosing the right ITAD solution can help you achieve this.
The improper disposal of end-of-life IT assets at a healthcare organization introduces risks that can cause serious damage not only to the organization's patients but also to the organization's reputation. These risks include compromised data security and liability for environmental damage.
Improper disposal of IT assets leads to security risks
When it comes to data security, many are aware of the potential damages that a data breach can bring to the healthcare organization. In addition to the theft and exposure of patients' personal health information (PHI), data breaches are also incredibly costly to the organization. According to Ponemon's 2017 Cost of Data Breach Study: Global Overview, the per capita cost of data breaches in the healthcare industry for the fiscal year of 2017 was $380.
Furthermore, non-compliance can be costly.
In March, 2016, North Memorial Health Care in Minnesota was fined $1.55 million for not having a Business Associate Agreement (BAA) with a contractor as well as not performing a risk analysis.
In September, 2016, Advocate Health Care in the Chicago area paid a $5.55 million fine and underwent a corrective action plan due to its failure to conduct a proper risk analysis, maintain policies and procedures to limit access to information systems, and enter into a BAA with a billing vendor.
Compliance is important, to say the least, and this includes making sure that you're properly disposing of IT assets that may contain PHI.
Partner with your ITAD vendor to prep for OCR audits
In order to better ensure data security, as well as prepare for an Office for Civil Rights (OCR) audit, it's important to work with your ITAD vendor on the following in order to ensure compliance:
- Review and execute an up-to-date BAA
- Review and update your vendor's security policy. This policy should be reviewed every year and cover all data storage devices likely to contain PHI. Iron Mountain has developed a sample "IT Asset Control and Disposal Policy" template.
- Ensure that you have access to disposition records or Certificates of Destruction.
- Ensure proper destruction of electronic medical records. Although the HIPAA standards are technology neutral, the guidance offered is to follow the destruction standards recommended in the "NIST 800-88 Guidelines for Media Sanitization".
- Conduct proper due diligence on all Business Associates. Covered entities need to demonstrate they are contracting with firms that have reasonable controls in place to prevent the loss of PHI and to properly respond in the event of a suspected data breach.
What to look for in an ITAD vendor
While the disposal of end-of-life IT assets and medical devices is important, not just any ITAD vendor will do. Make sure you perform thorough due diligence and ensure that your ITAD vendor has the appropriate certifications and processes in place.
Some of the third-party certifications and standards to look for include the following:
- e-Stewards: Recognizes the electronics recyclers that adhere to the most stringent environmentally and socially responsible practices when recovering hazardous electronic materials.
- ISO 9001: This standard addresses the fundamentals of quality management systems based on seven quality management principles.
- ISO 14001: This family of standards is related to environment management. It helps organizations minimize their negative impact on the environment and comply with applicable laws, regulations, and requirements.
- ISO 27001: Requires that a company implements and maintains an Information Security Management System (ISMS) that ensures adequate security controls and processes are in place to protect sensitive information.
- OHSAS 18001: Helps organizations monitor and improve occupational health and safety performance.
- NIST 800-88: This standard provides guidance to assist organizations in making sanitization decisions to ensure the confidentiality of their information.
In addition to the above, it's also important perform your own due diligence on your ITAD vendor's systems, processes, and procedures.
One important process they should be able to demonstrate is a secure chain of custody. This means a fully documented, step-by-step history of who possessed any of the assets. A complete audit report should be available to you so that you always know where the data is and where it has been.
Conclusion
The proper disposition of end-of-life IT assets and medical equipment is critical to keeping your healthcare organization secure and HIPAA-compliant. The absence of formal ITAD policies and procedures can expose your organization to significant data security, environmental, and reputation risk. Partnering with an ITAD vendor that has the proper certifications and secure chain-of-custody processes in place is the key to mitigating these risks.
The improper disposal of end-of-life IT assets at a healthcare organization introduces risks that can cause serious damage not only to the organization's patients but also to the organization's reputation. These risks include compromised data security and liability for environmental damage.
Improper disposal of IT assets leads to security risks
When it comes to data security, many are aware of the potential damages that a data breach can bring to the healthcare organization. In addition to the theft and exposure of patients' personal health information (PHI), data breaches are also incredibly costly to the organization. According to Ponemon's 2017 Cost of Data Breach Study: Global Overview, the per capita cost of data breaches in the healthcare industry for the fiscal year of 2017 was $380.
Furthermore, non-compliance can be costly.
In March, 2016, North Memorial Health Care in Minnesota was fined $1.55 million for not having a Business Associate Agreement (BAA) with a contractor as well as not performing a risk analysis.
In September, 2016, Advocate Health Care in the Chicago area paid a $5.55 million fine and underwent a corrective action plan due to its failure to conduct a proper risk analysis, maintain policies and procedures to limit access to information systems, and enter into a BAA with a billing vendor.
Compliance is important, to say the least, and this includes making sure that you're properly disposing of IT assets that may contain PHI.
Partner with your ITAD vendor to prep for OCR audits
In order to better ensure data security, as well as prepare for an Office for Civil Rights (OCR) audit, it's important to work with your ITAD vendor on the following in order to ensure compliance:
- Review and execute an up-to-date BAA
- Review and update your vendor's security policy. This policy should be reviewed every year and cover all data storage devices likely to contain PHI. Iron Mountain has developed a sample "IT Asset Control and Disposal Policy" template.
- Ensure that you have access to disposition records or Certificates of Destruction.
- Ensure proper destruction of electronic medical records. Although the HIPAA standards are technology neutral, the guidance offered is to follow the destruction standards recommended in the "NIST 800-88 Guidelines for Media Sanitization".
- Conduct proper due diligence on all Business Associates. Covered entities need to demonstrate they are contracting with firms that have reasonable controls in place to prevent the loss of PHI and to properly respond in the event of a suspected data breach.
What to look for in an ITAD vendor
While the disposal of end-of-life IT assets and medical devices is important, not just any ITAD vendor will do. Make sure you perform thorough due diligence and ensure that your ITAD vendor has the appropriate certifications and processes in place.
Some of the third-party certifications and standards to look for include the following:
- e-Stewards: Recognizes the electronics recyclers that adhere to the most stringent environmentally and socially responsible practices when recovering hazardous electronic materials.
- ISO 9001: This standard addresses the fundamentals of quality management systems based on seven quality management principles.
- ISO 14001: This family of standards is related to environment management. It helps organizations minimize their negative impact on the environment and comply with applicable laws, regulations, and requirements.
- ISO 27001: Requires that a company implements and maintains an Information Security Management System (ISMS) that ensures adequate security controls and processes are in place to protect sensitive information.
- OHSAS 18001: Helps organizations monitor and improve occupational health and safety performance.
- NIST 800-88: This standard provides guidance to assist organizations in making sanitization decisions to ensure the confidentiality of their information.
In addition to the above, it's also important perform your own due diligence on your ITAD vendor's systems, processes, and procedures.
One important process they should be able to demonstrate is a secure chain of custody. This means a fully documented, step-by-step history of who possessed any of the assets. A complete audit report should be available to you so that you always know where the data is and where it has been.
Conclusion
The proper disposition of end-of-life IT assets and medical equipment is critical to keeping your healthcare organization secure and HIPAA-compliant. The absence of formal ITAD policies and procedures can expose your organization to significant data security, environmental, and reputation risk. Partnering with an ITAD vendor that has the proper certifications and secure chain-of-custody processes in place is the key to mitigating these risks.
