Every business should be invested in properly disposing of IT assets, but this is especially important for businesses in the healthcare industry. Electronic health records have made it easier for healthcare companies to communicate with one another, transfer information, and serve customers, but it can be rather challenging to protect this sensitive information.
Healthcare providers and health insurance companies must comply with security standards established by the Health Insurance Portability and Accountability Act (HIPAA). These standards were put in place in order to protect consumers’ medical records and any other personal information collected by healthcare companies. To comply with HIPAA, businesses protect this data from the time that it is collected to its destruction.
How can healthcare companies ensure that they remain compliant? Here are some IT asset disposition tips for businesses within this industry:
Update Inventory
When it’s time to dispose of IT assets, healthcare companies should carefully track each asset until it has been destroyed. But, you shouldn’t wait until you’re disposing of an asset to start tracking it. Healthcare companies should be tracking their assets beginning the moment that they are purchased. This way, they know exactly how many devices they own that contain sensitive data. Unfortunately, many companies fail to keep track of their inventory. As a result, they may not notice when a device is stolen from the facility because they’re not tracking it. If a device is stolen or misplaced, the data on that device is no longer being protected.
Your first priority should be to establish asset management procedures and policies. If you don’t have these in place, it will be impossible for you to track devices that are sent to an e-waste recycler to ensure they are properly destroyed.
Research Third Parties
About one-quarter of all data breaches are associated with a third party, which may make healthcare companies nervous about partnering with a third party e-waste recycler. However, it is very unlikely that your company has the resources to handle the proper disposal of IT assets without a third party vendor’s help. Therefore, it’s in your best interests to work with a third party vendor as long as you take the time to thoroughly research the company first.
Before hiring a company, ask about physical safeguards such as security personnel, security checkpoints, and surveillance cameras. If devices that contain data are sitting within the facility waiting to be destroyed, you need to know that they are protected by these physical safeguards. You also need to know about technical safeguards. Ask the third party how devices are tracked from the moment they arrive at the facility all the way to the time they are destroyed. In addition, you need to learn who will have access to your company’s devices. It’s important to learn how employees are screened during the hiring process and what qualifications they must have in order to land a job at the facility.
A good way to determine if a facility is trustworthy is by asking about certifications. You should only work with a third party that has the e-Stewards and the National Association for Information Destruction (NAID) AAA certifications. The e-Stewards certification is only given to facilities that engage in responsible electronics reuse and recycling. A company with an e-Stewards certification has proved that they protect the environment, workers, and sensitive data during the destruction process. The NAID AAA Certification is further proof that the company can be trusted with sensitive data. This certification is only awarded to companies that prove they keep the data secure the entire time it is within their control. Companies must also show that they properly dispose of data in order to earn this certification.
Consult With the Third Party
In order to comply with HIPAA, healthcare companies must put policies and procedures related to the destruction of data in writing. If you’ve already found a third party e-waste recycler, it’s a good idea to consult with them when putting these policies and procedures in writing. Doing this will ensure that you have a thorough and comprehensive plan in place to protect your customers’ confidential information.
Protect Information on All Assets
Many people think that the only assets that store confidential information are desktops, laptops, tablets, and smartphones, but that’s not the case. You may be surprised to learn that even copiers and printers found in a commercial setting can store sensitive information. Large copiers and printers often have internal hard drives that store copies of documents that have been recently copied or printed. These documents could contain sensitive information, which is why these assets need to be destroyed in the same manner that computers are. Don’t assume that data does not exist on a device just because you have never stored it there. In the healthcare industry, it’s best to assume that all of your IT assets contain sensitive information.
Request Proof
Don’t assume that the third party e-waste recycler that you work with will properly destroy of the data on your assets. Healthcare companies should always request proof that their data has been destroyed after it has sent to an e-waste recycler. At ERI, we will provide a certificate as proof that the data was properly destroyed. We also allow our clients to watch a video of the destruction and give them access to a system that allows them to track each and every one of their assets. Make sure the e-waste recycler that you work with provides some sort of documentation that the data has been destroyed so you have proof that you are compliant with HIPAA.
If you’re in the healthcare industry, it’s imperative that you work with a reputable e-waste recycler. For more information on recycling electronics with ERI, or to request a quote, contact us today.