Kick ACE Blog
Hi! I'm Bob McCarthy
I write things
October 12, 2020
5 Tips for Verifying Secure Destruction
I am often asked, "How can a company verify with confidence that their product sent for secure destruction was actually destroyed?"
In lieu of Apple's lawsuit announcement against a third party vendor for selling product that was supposed to be destroyed, I thought it would be necessary to delve into this incredibly important topic. (See article below for full story)
So, why would a business demand secure destruction of their product? The most common reason is that said company is extremely concerned with data security and has decided to destroy their data-containing devices to eliminate their risk. Obsolete R&D and proprietary devices are some other categories that could pose a threat to an organization if not properly destroyed. On the other hand, there are also types of risk more closely related to sales. A company may have excess inventories of new product that they would rather destroy and recycle than have them resold on the open market. This way, they won't be competing against their own products in the marketplace. Lastly, we have seen unsafe products make their way back into the market after the manufacturer contracted with a vendor intending to have them destroyed, ultimately putting the public at risk.
Unfortunately, companies are often misled by their downstream vendors only to find their products deemed for destruction, not destroyed. Shocker, right?! Over the course of my 20 years in the industry, I have seen time and time again, companies getting screwed.
So what steps can a company take to ensure proper destruction?
Use only a vendor that will not subcontract out the destruction services, and they themselves are a certified facility (R2, NAID, eStewards, ISO9001, etc.). Facility certifications require detailed written processes, documentation to verify that those processes are followed, and are required to maintain all records.
Require a signed certificate of destruction detailing the serial numbers of the devices destroyed.
Request pre and post-destruction photos or video footage of the product being destroyed.
Have the vendor verify a mass balance by measuring the weight of product going into the shredder versus the weight of the commodities coming out (plastic, steel, circuit boards, aluminum, etc.).
Witness the destruction first-hand, or send an independent third-party witness to observe and document destruction.
September 18, 2020
Data Security & HIPAA
As healthcare networks across the country have allowed employees to work from home, it is essential to remember this equipment needs to be handled appropriately as people come back to work. We at ACE understand the risks and returns this equipment can provide to an entity.
45 CFR 164.310(d)(2)(i) and (ii) covers the disposal of electronic equipment, which requires policies and procedures to be developed and implemented to address the final disposition of ePHI (Electronic Protected Health Information), and the media on which it is stored. ePHI must be removed from electronic devices before they are re-used, scrapped, or recycled.
Prior to disposing of electronic media, all ePHI on the devices must be rendered unreadable, indecipherable, and incapable of being reconstructed. OCR suggests clearing (using software or hardware products to overwrite media with non-sensitive data) or purging (physical destruction) the information from the electronic media.
If a covered entity is unable to perform these actions, a vendor can be used. That vendor would naturally be a business associate, and a HIPAA-compliant business associate agreement would need to be signed by both parties before any devices are handed over.
The failure to remove ePHI prior to disposal is a violation of HIPAA Rules, and one that could potentially result in an impermissible disclosure of protected health information. It could also lead to a financial penalty for noncompliance with HIPAA Rules.