LOS ANGELES COUNTY
DEPARTMENT OF MENTAL HEALTH
  Policy 554.01 Device and Media Controls
 
  PROCEDURES
The Los Angeles County Department of Mental Health (DMH) Chief Information Officer (CIO) must implement security safeguards that govern the receipt and removal of hardware and electronic media that contain electronic information into and out of a facility, and the movement of these items within the facility.
  1. Receipt of hardware and software into a facility.
     
    1. System managers/owners must maintain a secure record documenting all hardware and software received into the facility.
       
    2. System managers/owners must document all hardware and software according to access, clearance levels, and/or data set type, as needed.
       
    3. System managers/owners must scan the components (e.g., software, storage devices) for malicious software.
       
    4. System managers/owners must create a backup of any software received and securely store the backup until the software is no longer in use.
       
    5. System managers/owners must provide an accounting of all documentation to DMH CIO at the time of receipt of hardware and/or software.
       
  2. Removal of hardware and software from a facility.
     
    1. System managers/owners or designee must first give written approval before any hardware or software is removed from a facility.
       
    2. System managers/owners must contemplate the reasons for the requested removal of any hardware and software and must consider:
       
      1. The requestor's access and clearance levels,
      2. The requestor's job requirements,
      3. Sensitivity of the components, and
      4. The period and/or frequency of removal.
         
    3. System managers/owners must document all requests and decisions concerning removal of any hardware and software.
       
    4. System managers/owners must update the hardware and software inventory system for both the removal and return of any hardware and software.
       
    5. System managers/owners must inspect any hardware and software upon its return to the facility, including performing a scan for malicious software.
       
    6. System managers/owners must provide an accounting of all documentation to the DMH CIO at the time of removal and return of hardware and/or software.
       
  3. Data Backup
     
    1. System managers/owners must determine when backups are required before movement of any hardware and software.
       
    2. If a backup is created, it shall be made in accordance with the data backup processes in DMH Policy 550.03, Information Technology Contingency Plan Policy.
       
    3. Any backup created must be tested to ensure the copy is exact and is retrievable.
       
    4. Any backup created must be stored in a secure location with appropriate access controls to prevent unauthorized access to the information.
       
  4. Disposal of hardware and software
     
    1. Data sanitization is one of the key elements for ensuring confidentiality.  In order for organizations to have appropriate controls on information they are responsible for safeguarding, they must properly secure used media.
       
    2. CIO is responsible for ensuring that all information and software on County-owned or leased computing devices is rendered unreadable and unrecoverable (whether or not removed from computing devices) prior to disposal or disposition of such computing devices out of County inventory to prevent unauthorized use or disclosure.
       
    3. The DMH approved data sanitization method is dependent on the type of media.  Paper, film, and other hard copy media should be shredded or destroyed so that PHI cannot be read or reconstructed.
       
    4. For electronic media, DMH requires methods that are consistent with the National Institute of Standards and Technology (NIST) Special Publication 800-88 Revision 1, Guidelines for Media Sanitation. Therefore, data should be cleared, purged or destroyed to render portable media or storage components of devices unreadable and/or unrecoverable so that PHI cannot be retrieved.
       
    5. Despite device or drive encryption, DMH routinely schedules pickups by its business associate data sanitization vendors. The portable media and storage components of devices are securely transported in locked containers and shredded.  A certification of sanitization is provided upon completion. System managers/owners must ensure the following:
       
      1. Hardware and software inventory system is appropriately updated upon disposal of hardware and/or software.
      2. Before disposal, all PHI and other confidential and/or sensitive information on any component are irreversibly destroyed. 
      3. Document that the sanitization steps have been completed.
      4. Remove any labeling affixed to the component before its disposal and affix it to the disposal documents.
      5. Provide an accounting of all documentation to the DISO at the time of hardware and/or software sanitization.
      6. Submit written documentation with the disposal documents to verify that sanitization steps were completed.
         
  5. Reuse of Devices and Media
     
    1. System managers/owners must ensure that the hardware and software inventory system is appropriately updated upon the reallocation of components.
       
    2. Prior to reuse, system managers/owners must ensure all information on any component that is not necessary to the job function of the person to whom it is being reassigned is irreversibly destroyed.
       
    3. System managers/owners must verify and document that sanitization steps have been completed.
       
  6. Accountability
     
    1. System managers/owners must maintain a record documenting the movement of hardware, software, devices, electronic media, and persons responsible for those components.
       
    2. System managers/owners must use the existing DMH asset management and inventory system to collect the information required by this procedure. 
       
    3. System managers/owners must ensure that the hardware and software inventory system is up-to-date and secured.