Proposed updates to the HIPAA Security Rule are set to push healthcare organizations toward more proactive cybersecurity practices. One of the most talked-about changes? A new requirement for annual penetration testing of electronic information systems.
But the bigger picture goes beyond pen testing.
The proposal includes several technical safeguards and documentation requirements, such as:
- Bi-annual vulnerability scans
- Encryption and MFA for ePHI
- A written technology asset inventory and network map
- Documented recovery procedures for system downtime
- Annual audits and risk management plans
It’s a clear message from regulators: keeping data secure means knowing where it lives, who can access it—and making sure no unused or unmanaged system is left lingering in the background.
Not All Risk Is Online
When people think about HIPAA compliance, they often think about what’s happening on the network. But old hardware—servers, laptops, workstations—can quietly hold onto protected data long after it’s taken out of rotation.
Cached credentials, saved documents, and misconfigured software don’t just disappear when a device is unplugged. If that equipment ends up in a forgotten storage room or gets repurposed without proper sanitization, it can still present a risk to patient privacy—and compliance.
This is where IT asset disposition (ITAD) fits in.
ITAD as a Compliance Tool
Managing old equipment isn’t just a housekeeping issue anymore—it’s part of a secure, documented system lifecycle. And under the proposed rule, having a clear, verifiable process for removing devices from your environment will matter more than ever.
An effective ITAD process can help:
- Maintain accurate records of what devices handled ePHI
- Ensure data is wiped or destroyed following NIST 800-88 guidelines
- Provide documentation for audits and compliance reviews
- Support broader asset inventory and recovery planning efforts
IT teams already tasked with vulnerability scans, pen testing, and encryption don’t need another thing to track. But ITAD helps tie those efforts together, closing out the lifecycle of devices that might otherwise become overlooked risks.
Preparing for What’s Ahead
These proposed changes come at a time when healthcare data breaches are on the rise, and smaller organizations are just as vulnerable as large ones. Having the right tools and partners in place to manage risk across the full lifecycle—from active use to end-of-life—can make a big difference in staying ahead of future requirements.
Organizations don’t have to overcomplicate it. Knowing what equipment is in use, what’s retired, and what’s been securely handled goes a long way in strengthening overall security and compliance.
For those evaluating their processes in light of the HIPAA updates, now is a good time to make sure device retirement is part of the conversation. SEAM is the only certified IT asset disposition provider in the Dakotas and can help healthcare organizations ensure secure, compliant handling of retired equipment. Contact us to get started.
Clint Parsons is the Director of Strategy and Information at SEAM, specializing in building partnerships with businesses of all sizes. He ensures clients effectively navigate secure data destruction, responsible recycling, and maximize the resale value of their IT equipment while staying compliant with evolving regulations.