Device and Media Controls
Description
Implement policies and procedures governing the receipt and removal of hardware/electronic media containing ePHI into and out of the facility.
⚠️ Risk Impact
Medical equipment retains data after operational life. Retired servers, MRI machines, ultrasound carts all contain patient data. Disposal without sanitization is a recurring HIPAA breach pattern.
🔍 How EchelonGraph Detects This
EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as high-severity findings with remediation guidance.
🔧 Remediation
Track all media containing ePHI. Encrypt at rest. Cryptographic erasure or DoD-grade wipe before disposal. Certified disposal vendors with certificates of destruction.
💀 Real-World Attack Scenario
A hospital disposed of 47 retired imaging workstations via a recycling vendor. The workstations contained DICOM images with patient identifiers. Inspection found 31 of 47 still had recoverable patient images. OCR settlement: $2.4M + corrective action plan including data destruction verification.
💰 Cost of Non-Compliance
Healthcare disposal-related breaches: avg $4.45M (Privacy Rights Clearinghouse 2024).
📋 Audit Questions
- 1.Media inventory tracking ePHI?
- 2.Disposal procedure?
- 3.Certificates of destruction?
- 4.Encryption at rest on all media?
🎯 MITRE ATT&CK Mapping
⚡ Common Pitfalls
- ⛔Medical equipment vendor takes back devices without verifiable wipe
- ⛔Backup tapes disposed without inventory tracking
- ⛔Workstations donated to schools/charities without wipe
📈 Business Value
Documented disposal prevents the 'forgotten device' breach pattern in healthcare.
⏱️ Effort Estimate
Per-disposal ~1 hour documentation
EchelonGraph tracks cloud-volume disposal events
🔗 Cross-Framework References
Automate HIPAA 164.310(d) compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →