Securing Electronic Media and Devices

A recent U.S. Department of Health and Human Services, Office for Civil Rights (OCR) Cyber Security Newsletter identified items employers should consider to secure electronic media and devices.

Electronic devices include many different hardware items, including laptops, smartphones, servers, desktops and tablets.  Electronic media includes storage devices including hard drives, USB drives, tapes and memory cards.  The OCR encourages organizations to consider what safeguards are appropriate to ensure the handling of electronic devices and media keeps the contents secure.  To reduce the risk of loss, theft and breach of protected health information, employers make sure to address the following items in their electronic device/media policies:

1. Tracking the location, movement, modification or repairs and disposition of devices and media throughout their life cycles.
2. Recording device and media movement including the persons responsible for the devices and media.
3. Training workforce members (including management) on the proper use and handling of devices and media to safeguard electronic PHI.
4. Controlling technical items, including access controls, audit controls, and encryption.

Organizations have different methods for reviewing and tracking the movement of electronic devices and a risk analysis should be completed.  For a copy of the Newsletter article, click here.