MUSC Policy: Information Security - Device and Media Controls

 TITLE: Information Security  ID:
 ORIGINATOR: Information Security Office  DATE: Jan 23, 2009
 REVIEWED: President's Council  DATE: Jul 29, 2009
 APPROVED: Raymond S. Greenberg, MD, PhD  DATE: Jul 29, 2009
 IMPLEMENTATION: Enterprise-wide  DATE: July 29, 2009

1. RATIONALE

Please refer to MUSC Information Security Rationale: The Need for Safeguards for an overview of the legal and ethical considerations that have motivated the development of this policy. The following laws and regulations have particular relevance:

HIPAA Security: 164.310(d)(1) Standard: Device and media controls
HIPAA Security: 164.310(d)(2)(i) Disposal
HIPAA Security: 164.310(d)(2)(ii) Media Re-use
HIPAA Security: 164.310(d)(2)(iii) Accountability
HIPAA Security: 164.310(d)(2)(iv) Data backup and storage
FTC Safeguards Rule: 314.4(b)(2)
SC Financial Identity Fraud and Identity Theft Protection Act

2. POLICY

If an MUSC workstation or other system contains (or has ever contained) protected information, then the designated Owner of the system is responsible for ensuring that the device and media controls that govern the receipt, movement, and disposal of the system's hardware and electronic media are sufficient to meet all legal, ethical and business requirements.

Prior to disposal or surplus, all electronic media, regardless of whether they are believed to contain (or to have contained) protected information, must be sanitized (purged or cleared of all data) by an individual who has been certified in accordance with the MUSC Device and Media Disposal Procedures.

3. PROCEDURES

3.1. Definitions

Please refer to MUSC Policy: Information Security: Appendix A.

3.2. Scope of Controls

The system's device and media controls must govern the disposal and re-use of hardware or media that may contain protected information, and should ensure accountability for any workforce member who moves the system's hardware or media. Controls should also ensure that hardware or media containing protected information is not moved unless a backup copy of the information exists.

3.3. Appropriateness of Controls

The specific media controls used with a system should be guided by the system's Risk Assessment. The System Owner must ensure that appropriate System-specific procedures are created, documented, and followed.

3.4. Sanctions

Refer to MUSC Policy: Information Security: Sanctions.

3.5. See Also

MUSC Policy: Information Security
MUSC Policy: Information Security - Risk Management
MUSC Information Security Standards: Device and Media Controls
MUSC Information Security Guidelines: Device and Media Controls

4. ACCESS

This policy will be maintained and published electronically by the Information Security Office. This policy is a public document and there are no restrictions on its distribution.