Risk: Lack of guidelines on reuse of hardware or electronic media
Explanation: It is a common scenario that the hardware and electronic media are re-used instead of being simply disposed. They can be reused either internally within the organization or they can be resold or donated to other organizations/individuals. Whatever may be the nature of reuse, it is important that all ePHI are completely erased using official government approved wiping methods, before it is given out for re-use. If this is not done, there are fairly high chances of the data being exposed and there by compromising ePHI.
Major Mitigation: Specific policies and procedures needs to be defined which clearly provides guidelines on the measures to be adopted when hardware or electronic media are reused. Often the risks associated with internal reuse of these media are overlooked, and as such there are no guidelines. Even if it is internal reuse, the same level of risks associated with unauthorized access exists here.
Secondary Mitigation: Policies and procedures which advocates the use of logs and book keeping for these reuse would help to track these media in a better way.
Success Criteria: Audit of the logs and book keeping records will provide the information on whether the policies are being followed. And the risk assessment report will give a clearer picture whether this risk has been mitigated or not.