Data security concerns
For any medical device that may contain sensitive data, the decommissioning process needs to account for the proper disposal of that data, regardless of whether the device is to be destroyed, sold, refurbished, reassigned to another location within the facility, or otherwise reused.
Imaging devices, for example, generate data that constitutes PHI, and most have the ability to store or archive that data until it is transmitted to integrated clinical systems. Cardiac device programmers take data from the patient for analysis. Smartphones that are used in a clinical environment contain patient care and other sensitive data from secure communications between clinicians. These are a few of the many technologies and scenarios that would be of concern if data is not safeguarded before a device leaves the facility's control.
The need to safeguard PHI and other patient data is an obvious concern. Healthcare facilities can be subject to fines or other penalties if unsecured PHI is made accessible to unauthorized parties. However, PHI breaches are not the only concern. Some devices include sensitive information technology (IT) data that could be used as intelligence in a cyberattack against your organization. Examples include network configuration settings and user, device, or network credentials, such as a wireless Pre-Shared Key or Active Directory accounts.
Steps to facilitate decommissioning
Several steps can be taken in advance to facilitate decommissioning when a device is no longer needed for use at a healthcare facility.
One key step is to maintain an up-to-date inventory of all devices and systems that store, generate, or communicate PHI or other sensitive data. This information will help you identify devices that require data security measures when decommissioning.
ECRI recommends recording data security details for each device in your computerized maintenance management system (CMMS) or similar equipment database for easy retrieval. Facility-owned mobile communication devices should be included in this effort.
For many devices, data security details can be found on the device's Manufacturer Disclosure Statement for Medical Device Security (MDS2) form. The MDS2 is a standardized form filled out by medical device manufacturers to communicate information about their devices' security and privacy characteristics to current device owners and potential buyers.
Additionally, ECRI recommends encrypting data stored on a device whenever possible—and documenting when the data on a device has been encrypted. Encryption protects data and makes it inaccessible to an unauthorized party. Thus, encryption provides protection in the event that the chain of custody of the device is broken. Documenting that process will assist future audits and is useful in the event of a HIPAA-related investigation.
Steps for decommissioning medical devices
When it comes time to decommission any medical device that may contain sensitive data, ECRI recommends the following steps:
Learn more about how ECRI can enhance your device management process—from procurement to decommissioning—with laboratory testing, ratings, and specification recommendations.