MedStack Technology Compliance Policies

Media handling

Erase or destroy media containing PHI prior to disposal or re-use to prevent data from being recovered

  • For operational systems, rely on cloud providers to erase and destroy media.
    • For media on workstations and mobile devices
      • For encrypted media, destroy the encryption key or erase the drive using the standard system.
      • For unencrypted HDD media, erase the disk using a standard secure disk erasure system.
      • For unencrypted media of other types, securely destroy the media.
CodeSectionTitle
ISOA.8.3.1Management of removable media
ISOA.8.3.2Disposal of media
CHISR34Disposing of Media Containing PHI
HIPAA164.310(d)(2)(ii)Media re-use
SOC2CC6.5The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entity’s objectives.
SOC2CC6.5The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entity’s objectives.
SOC2CC6.7The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives.

Don’t put sensitive data on removable media

CodeSectionTitle
ISOA.8.3.3Physical media transfer
CHISR33Protecting PHI on Portable Media
CHISR35Protecting Data Storage
CHISR36Protecting Storage of Unencrypted PHI in the EHRi
SOC2CC6.7The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives.

Enforcement

  • Responsible party: All managers and supervisors
  • sanctions: standard

References

CodeSectionTitle
ISOA.8.3Media handling
ISOA.11.2.7Secure disposal or re-use of equipment
HIPAA164.310(d)Device and media controls
SOC2CC6.5The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entity’s objectives.
SOC2CC6.7The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives.