• Media handling
  • Metadata
  • Erase or destroy media containing PHI prior to disposal or re-use to prevent data from being recovered
  • Don't put sensitive data on removable media
  • Enforcement
  • References

Media handling

MedStack Confidential

Metadata

• responsible officer: CTO
• approved by: CTO
• date
  • effective: 2018-06-20
  • revised: 2020-08-05
  • reviewed: 2022-08-31
• Applicability: standard

Erase or destroy media containing PHI prior to disposal or re-use to prevent data from being recovered

• For operational systems, rely on cloud providers to erase and destroy media.
  • For media on workstations and mobile devices
    • For encrypted media, destroy the encryption key or erase the drive using the standard system.
    • For unencrypted HDD media, erase the disk using a standard secure disk erasure system.
    • For unencrypted media of other types, securely destroy the media.

Code	Section	Title
ISO	A.8.3.1	Management of removable media
ISO	A.8.3.2	Disposal of media
CHI	SR34	Disposing of Media Containing PHI
HIPAA	164.310(d)(2)(i)	Disposal (Required)
HIPAA	164.310(d)(2)(ii)	Media re-use (Required)
SOC2	CC6.5	The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entity’s objectives.
SOC2	CC6.5	The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entity’s objectives.
SOC2	CC6.7	The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives.

Don’t put sensitive data on removable media

Code	Section	Title
ISO	A.8.3.3	Physical media transfer
CHI	SR33	Protecting PHI on Portable Media
CHI	SR35	Protecting Data Storage
CHI	SR36	Protecting Storage of Unencrypted PHI in the EHRi
SOC2	CC6.7	The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives.

Enforcement

• Responsible party: All managers and supervisors
• sanctions: standard

References

Code	Section	Title
ISO	A.8.3	Media handling
ISO	A.11.2.7	Secure disposal or re-use of equipment
HIPAA	164.310(d)(1)	Standard: Device and media controls
HIPAA	164.310(d)(2)(iii)	Accountability (Addressable)
SOC2	CC6.5	The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entity’s objectives.
SOC2	CC6.7	The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives.

August 30, 2022

Powered by