Please see CUIMC Information Security Procedures for Sanitization and Disposal in addition to requirements and procedures listed below.
A large volume of electronic data is stored on computer systems and electronic media throughout the University. Much of this data consists of sensitive and confidential information, including patient records, financial data, personnel records, and research information. Columbia University is covered by several federal and state laws that set forth responsibilities for protecting this information, including the Health Information Technology for Economic and Clinical Health Act (HITECH Act), the Federal Privacy Act, the Health Insurance Portability and Accountability Act (HIPAA) and the New York State Social Security Number Protection Law.
Requirements
Unauthorized disclosure of sensitive information may subject the University to legal liability, negative publicity, monetary and civil penalties, and the possible loss of funding. All sensitive information and licensed software must be properly removed when disposing of computer systems with hard drives (laptops, desktops, servers, etc.), smartphones, tablets, medical instrumentation devices and modalities, printers and copiers, and removable media such as CDs, DVDs, disks, USB drives, external drives, tapes, smart cards or anything else that stores data. Bear in mind that many pieces of equipment keep a cache of data that you may not intend to store permanently.
- Data must be properly removed according to its level of classification
As per the Information Security Charter, Executive Managers including Deans, Directors and Department Chairs are responsible for overseeing information security for their respective areas of responsibility and ensuring compliance; System Owners, Data Owners and IT Custodians are responsible for ensuring that the Sanitization and Disposal of Information Resources Policy is followed.
Simply deleting files does not meet requirements for data classified as sensitive or confidential; it must be sanitized in a manner that leaves it fully unrecoverable. See Procedures below or refer to the Sanitization Policy full text.
- Systems that have accessed sensitive information
These have a high likelihood that some data was retained on the hard drive even after the computer user has logged out of any program or closed any files containing the sensitive data. Unless the owner/user is able to fully verify that data classified as highly sensitive does not exist on the computer, it should be considered to require the same level of sanitation.
- All media must be properly sanitized
All sensitive information and licensed software must be properly removed when disposing of equipment listed at the beginning of these requirements and anything that is capable of storing electronic data. All Department heads are responsible for ensuring that their employees dispose of non-reusable electronic media properly. Similar to shredding paper reports, CDs and other non-rewritable media should either be broken or defaced by scratching before disposal.
- Ensure that software and copyright laws are not being violated
Copyright laws and software license agreements protect vendor rights regarding the use of software. Much of the software at CUIMC IT is licensed under special academic licensing agreements which prohibit the transfer of this software outside of the University.
- Audit of Retired Assets
Departments are responsible for keeping a separate detailed Audit of all retired assets including make, model, serial number and MAC (hardware) address. This should include all dates and chain of custody information to the disposal point and method utilized for sanitation. This audit will need to be made available to the Information Security Office on demand.
Sanitization Procedures
Sanitization must be documented
Any device which has been sanitized properly must be documented. CUIMC IT will not assist in the sanitization of any device when appropriate device information is not provided. Proper recording of device destruction or sanitization includes the following information: serial number of the device, device type, date of destruction, person performing the destruction, owning department.
Physical removal by Facilities requires a Device Disposal Tag
Facilities Management is responsible for the disposition of surplus computer systems and electronic devices from university operated buildings. Any computer system or device sent out for disposition must have a 'Device Disposal Tag' affixed to it indicating that the system has been sanitized. Facilities Management will not accept any computer system without this sticker. Once collected, all computer systems and devices will be delivered to a secure location where disposal will be facilitated by the Department of Environmental Health and Safety.
Once you have gone through the necessary steps to properly sanitize your computer system and acquire a 'Device Disposal Tag' (see Options below), you may contact the facilities office to schedule the pickup of unneeded equipment. You can contact facilities by calling 5-Help option 3 or by going to the facilities website and submitting a work order.
Improper Disposal Penalties
In the event that a computer system is found to have been disposed of out of accordance with CUIMC IT Data Disposal Procedures, the system will be sanitized and a fee of $175 will be charged to the department of the systems origin without approval from the department.
Options for Disposal of Non-Leased Systems
- Assisted Hard Drive Extraction
Call the CUIMC IT Service Desk (extension 5-Help). CUIMC IT will provide a field sanitation service for the standard rate of time and materials. Once the field tech has completed the hard drive extraction, a 'Device Disposal Tag' will be placed on the machine and you can contact the facilities management office to dispose of it.
- Departmental Extraction
If your department has its own Certified IT Group, you may ask them to extract your hard drive and follow up with the Service Desk at extension 5-Help (212-305-4357), option 5, for the next steps. They will be able to obtain the required 'Device Disposal Tag' and then they can contact the facilities management office to dispose of the machine.
- Upgrade Extraction
When upgrading equipment using CUIMC IT, hard drive sanitation will be provided upon request free of charge. A 'Device Disposal Tag' will be provided as part of the upgrade. Once this sticker is placed on the machine you can contact the facilities management office to dispose of it.
- Donate via Dr. Kleiman with MSPH
Computers with a minimum Pentium 4 processor can be donated by contacting Dr. Norman J. Kleiman, email njk3@columbia.edu or call 5-6748. Dr. Kleiman's group takes responsibility for securely wiping data from the computer. Working printers are also accepted.
Hard Drive and Backup Tape Degaussing
CUIMC IT does not currently offer degaussing services or access to degaussing equipment.
System removal, ownership or location changes
In order to provide consistent, reliable network access to authorized individuals and systems, Core Resources must have current, accurate information systems using the wired network. Failure to provide accurate information can result in denial or loss of network connectivity, or problems with connecting to other resources. Failure to notify us of systems no longer using the network ties up resources that could be used by others.
Procedure
Submit the appropriate ServiceNow Wired IP Registration form when any of the following occur:
- The primary location or office for the system changes
- Basic contact information for the computer owner and/or user changes
- Previously registered systems are being removed or no longer require wired network access
- The system's Network Interface Card (NIC) is being replaced.
If a system is moving or changing ownership, the form will help ensure that wired connectivity is not disrupted provided that enough notice has been given.
Disable unused accounts
When looking at data sanitization and equipment disposal requirements due to changes in an employee’s status, do not forget to notify managing groups of the employee’s accounts.
- Unused accounts must be disabled to help prevent unauthorized access to systems or data, and should not be transferred or used by others. Communicating needed changes in account use and ownership is important for security, tracking and sometimes billing information.
- Accounts/logins cannot be shared, used by or transferred to others.
- See the Separations and Termination page for full information.