Information Security Considerations for Decommissioning Medical Devices
What do you do with a medical device when it reaches the end of its useful life? If the device was used to store, generate, or communicate protected health information (PHI) or other sensitive data, you can't dispose of the device "as is." You'll first need to take steps to minimize security risks. Creating a structured decommissioning process now will help assure that the protections you need are in place when you dispose of medical devices in the future.
Data security concerns
For any medical device that may contain sensitive data, the decommissioning process needs to account for the proper disposal of that data, regardless of whether the device is to be destroyed, sold, refurbished, reassigned to another location within the facility, or otherwise reused.
Imaging devices, for example, generate data that constitutes PHI, and most have the ability to store or archive that data until it is transmitted to integrated clinical systems. Cardiac device programmers take data from the patient for analysis. Smartphones that are used in a clinical environment contain patient care and other sensitive data from secure communications between clinicians. These are a few of the many technologies and scenarios that would be of concern if data is not safeguarded before a device leaves the facility's control.
The need to safeguard PHI and other patient data is an obvious concern. Healthcare facilities can be subject to fines or other penalties if unsecured PHI is made accessible to unauthorized parties. However, PHI breaches are not the only concern. Some devices include sensitive information technology (IT) data that could be used as intelligence in a cyberattack against your organization. Examples include network configuration settings and user, device, or network credentials, such as a wireless Pre-Shared Key or Active Directory accounts.
Steps to facilitate decommissioning
Several steps can be taken in advance to facilitate decommissioning when a device is no longer needed for use at a healthcare facility.
One key step is to maintain an up-to-date inventory of all devices and systems that store, generate, or communicate PHI or other sensitive data. This information will help you identify devices that require data security measures when decommissioning.
ECRI recommends recording data security details for each device in your computerized maintenance management system (CMMS) or similar equipment database for easy retrieval. Facility-owned mobile communication devices should be included in this effort.
For many devices, data security details can be found on the device's Manufacturer Disclosure Statement for Medical Device Security (MDS2) form. The MDS2 is a standardized form filled out by medical device manufacturers to communicate information about their devices' security and privacy characteristics to current device owners and potential buyers.
Additionally, ECRI recommends encrypting data stored on a device whenever possible—and documenting when the data on a device has been encrypted. Encryption protects data and makes it inaccessible to an unauthorized party. Thus, encryption provides protection in the event that the chain of custody of the device is broken. Documenting that process will assist future audits and is useful in the event of a HIPAA-related investigation.
Steps for decommissioning medical devices
When it comes time to decommission any medical device that may contain sensitive data, ECRI recommends the following steps:
-
Request information from the device manufacturer about all the locations where data is stored on the device and about recommended methods for removing sensitive data during decommissioning. Ask if there are software utilities available to wipe sensitive data. The device's instructions for use may offer some guidance, but facilities may need to contact the manufacturer directly for this information.
-
Destroy or remove the data on the device using the most secure method practical, given the intended destination for the device. If the device is to be destroyed, then the storage media itself (e.g., a computer's hard drive, an SD card, a USB drive) can be destroyed—that's the best-case scenario from an information security perspective. However, if the device is to be transferred for use in another setting, the storage media must be handled in a way that allows the device to remain functional.
Organized from most to least secure, common data destruction methods include: (a) removing and physically destroying the storage media, (b) sanitizing the storage media by erasing or wiping the data using software tools, (c) performing a factory reset, (d) using device-provided methods to delete data, which may be performed within the device user interface or by deleting data at the operating system level; with such methods, the data itself may not be deleted, but the pointers to that data are deleted. Note that the last two options make data retrieval difficult, but not impossible.
-
Disassociate the device from any management server or cloud service. A remote patient monitoring system, for example, may be associated with a cloud service during use. If the device isn't disassociated from the cloud service, the device could potentially rejoin the cloud management system if it's reactivated later, providing an unaffiliated user with access to data from the original facility. Disassociation may be performed at the device, at the server/cloud interface, or both. Refer to documentation for specific instructions.
-
Remove all IT and interoperability configurations. This can include, but is not limited to, IP addresses, wireless settings, Active Directory accounts, and DICOM configurations.
-
If using a salvage company or other third party to dispose of the device or its storage media, wipe data prior to transfer and obtain documentation confirming that the storage media will be destroyed. It is advisable to get a business associate agreement with that service provider to ensure compliance.
- Document in your CMMS and/or configuration management database that the device has been decommissioned, including serial numbers and details about the method used to destroy or secure the data.
Learn more about how ECRI can enhance your device management process—from procurement to decommissioning—with laboratory testing, ratings, and specification recommendations.