Step 7. Have a decommissioning/replacement plan

All medical devices will have a life-expectancy, and this should be factored into the original procurement so that replacement time-scales and costs can be understood. This is particularly important to ensure that the medical device isn’t kept in service when operating on underlying software that isn’t supported (such as Windows operating systems that are end of life). Where this is unavoidable (understanding the unique nature of some medical devices) then it should at least be recorded on the organisation’s risk register.

All devices that store patient identifiable data must have all data forensically erased, so it is unrecoverable. Your decommissioning and disposal policy should have sufficient detail for this to be carried out.

Any data stored on a connected medical device should be sanitised prior to disposal and before the device leaves the organisation to ensure that it cannot be read by unauthorised parties after it has left the organisation’s control. 

Sanitisation is the process of treating data held on storage media to reduce the likelihood of retrieval and reconstruction to an acceptable level. Some forms of sanitisation will allow the media to be re-used, others are destructive in their nature and render the media unusable. The method selected will depend on the storage media involved and the risk tolerance level within the organisation.

NCSC have published guidance on secure sanitisation of storage media.