Policies, Agreements, Terms & Conditions
MedStack Technology Compliance Policies
Media handling
Erase or destroy media containing PHI prior to disposal or re-use to prevent data from being recovered
- For operational systems, rely on cloud providers to erase and destroy media.
- For media on workstations and mobile devices
- For encrypted media, destroy the encryption key or erase the drive using the standard system.
- For unencrypted HDD media, erase the disk using a standard secure disk erasure system.
- For unencrypted media of other types, securely destroy the media.
- For media on workstations and mobile devices
| Code | Section | Title |
|---|---|---|
| ISO | A.8.3.1 | Management of removable media |
| ISO | A.8.3.2 | Disposal of media |
| CHI | SR34 | Disposing of Media Containing PHI |
| HIPAA | 164.310(d)(2)(ii) | Media re-use |
| SOC2 | CC6.5 | The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entity’s objectives. |
| SOC2 | CC6.5 | The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entity’s objectives. |
| SOC2 | CC6.7 | The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives. |
Don’t put sensitive data on removable media
| Code | Section | Title |
|---|---|---|
| ISO | A.8.3.3 | Physical media transfer |
| CHI | SR33 | Protecting PHI on Portable Media |
| CHI | SR35 | Protecting Data Storage |
| CHI | SR36 | Protecting Storage of Unencrypted PHI in the EHRi |
| SOC2 | CC6.7 | The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives. |
Enforcement
- Responsible party: All managers and supervisors
- sanctions: standard
References
| Code | Section | Title |
|---|---|---|
| ISO | A.8.3 | Media handling |
| ISO | A.11.2.7 | Secure disposal or re-use of equipment |
| HIPAA | 164.310(d) | Device and media controls |
| SOC2 | CC6.5 | The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entity’s objectives. |
| SOC2 | CC6.7 | The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives. |
Life Support Mental Health Inc. @ 2023
All Rights Reserved