Media handling
MedStack Confidential
Metadata
- responsible officer: CTO
- date
- effective: 2018-06-20
- revised: 2018-05-15
- reviewed: 2018-06-20
- Applicability: standard
Dispose of all media containing PHI so that data cannot be recovered
- Media includes
- drives (such as HDDs and SSDs)
- removable media (such as SD cards, memory sticks and CD-ROMs)
- Transfer reponsibility
- for operational systems media to cloud providers.
- When disposing of media that contain or contained PHI
- In the case of media that is encrypted, erase the drives in the normal fashion prior to disposal.
- In the case of media that is not encrypted
- If the media is an HDD, securely erase the drive before disposal.
- If the media is an SSD, securely destroy the media before disposal.
- If the media is of another type, securely destroy the media before disposal.
- In the case of media that is not encrypted
- In the case of media that is encrypted, erase the drives in the normal fashion prior to disposal.
- When disposing of other media that contains PHI
- destroy the media prior to disposal.
Code Section Title Text ISO A.8.3.1 Management of removable media Procedures shall be implemented for the management of removable media in accordance with the classification scheme adopted by the organization. ISO A.8.3.2 Disposal of media Media shall be disposed of securely when no longer required, using formal procedures. CHI SR34 Disposing of Media Containing PHI All organizations connecting to the EHRi or hosting components of the EHRi should destroy, permanently erase or make anonymous PHI contained on media that is no longer required.
- destroy the media prior to disposal.
Securely erase all media containing PHI, before any media may be re-used
- When re-using media that contain or contained PHI
- In the case of media that are encrypted, erase the media in the normal manner prior to re-use.
- In the case of media that are not encrypted
- If the media are HDDs, securely erase the HDDs prior to re-use.
- Otherwise, do not re-use the media.
Code Section Title Text HIPAA 164.310(d)(2)(ii) Media re-use (ii) Media re-use (Required). Implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use.
- In the case of media that are not encrypted
- In the case of media that are encrypted, erase the media in the normal manner prior to re-use.
Encrypt and back up all media (including virtual media) containing PHI
- Don’t put sensitive data on removable media.
Code Section Title Text MedStack Cryptography ISO A.8.3.3 Physical media transfer Media containing information shall be protected against unauthorized access, misuse or corruption during transportation. CHI SR33 Protecting PHI on Portable Media All organizations hosting components of the EHRi must – and organizations connecting to the EHRi should ensure that PHI and other security-critical data stored on removable media are: a) Encrypted while the media is in transit to protect the data’s confidentiality and integrity; and b) Protected from theft, where appropriate, while the media is in transit to protect the data’s availability. CHI SR35 Protecting Data Storage All organizations hosting components of the EHRi must protect electronic media containing PHI or security-critical system data, including user registration data, by one or more of the following means: a) Physically protecting the media in accordance with Security Requirement 17 – Physically Securing EHRi Systems b) Securely de-identifying the PHI it contains; or c) Encrypting the data it contains. CHI SR36 Protecting Storage of Unencrypted PHI in the EHRi All organizations hosting components of the EHRi must monitor the status and location of media containing unencrypted EHRi data or security-critical data, including user registration data, and ensure this data remains physically protected.
Enforcement
- Responsible party: All managers and supervisors
- sanctions: standard
References
| Code | Section | Title | Text |
|---|---|---|---|
| ISO | A.8.3 | Media handling | To prevent unauthorized disclosure, modification, removal or destruction of information stored on media. |
| ISO | A.11.2.7 | Secure disposal or re-use of equipment | All items of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use. |
| HIPAA | 164.310(d) | Device and media controls | (1) Standard: Device and media controls. Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility. (2) Implementation specifications: (i) Disposal (Required). Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored. (ii) Media re-use (Required). Implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use. (iii) Accountability (Addressable). Maintain a record of the movements of hardware and electronic media and any person responsible therefore. (iv) Data backup and storage (Addressable). Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment. |