Risk: Lack of guidelines on how hardware or electronic media are to be disposed
Explanation: It is not just important to protect and secure the devices is in use. It is equally important to consider what will happen to ePHI stored in these devices, when they are not in use, and are being disposed off. If these media are not properly disposed off, it poses the same level of risk as when they are in use. This is often an overlooked scenario.
Major Mitigation: When each electronic media reaches the stage when it is ready to be disposed off, there must be laid down policies and procedures that describes how ePHI can be completed erased off before the media is disposed off. One of the methods used is degaussing (magnetic field is used to erase the data) to clean up the media before disposal. Or damaging the media beyond repair, so that it cannot be accessed any further can also be done. The policies must also define the need for logs/book keeping of the disposed media and how the data was erased.
Secondary Mitigation: Organizations also may defer the disposal of these media until a period of time, may be years, so that the data contained in there becomes obsolete. But yet, these same policies of erasing these obsolete data before they are disposed off needs to be in place. Also the security of these ‘going to be’ disposed of data must be considered.
Success Criteria: Audit of the logs and book keeping records will provide the information on whether the policies are being followed. And the risk assessment report will give a clearer picture whether this risk has been mitigated or not.