Reminder from HHS regarding Cyber Security and Disposing of Equipment
by Kathy Everitt
Thursday, January 31, 2019
We have heard it before, although it is easy to forget. The digital equipment we use every day captures and stores electronic PHI (aka E-PHI or PII). So, when we replace a cell phone, copier, computer, USB drive or other removable media, we may not remember to ensure the equipment or device is wiped clean before it's handed off to someone.
This includes giving devices to employees or organizations that accept donated computers or cell phones or make them available at a reduced price.
The process of wiping the devices or tools clean is called “decommissioning” them. The decommissioning takes place prior to disposal and should include:
- Confirming the device or tool is thoroughly erased and securely destroyed or recycled
- Maintaining a list of devices/tools which are decommissioned, when and how and by whom
- If the decommissioning is taking place away from your premise, indicate when the device was last used and when it left your control
- If a commercial organization is decommissioning the device/tools:
- Request a certificate of destruction
- Certificate should list:
- Manufacturer name of item, model and serial number
- Method of destruction
- Media type
- Verification of destruction
In July, HHS issued the following reminder regarding disposing of equipment. https://www.hhs.gov/sites/default/files/cybersecurity-newsletter-july-2018-Disposal.pdf .
You can find more detailed information from NIST at: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf