 |
|
 |
 |
 |
|
 |
HIPAAdvisory > HIPAAtech |  |
 |
 |
 |
|||||||||||||||||||||||||
|
Secure Removal of Protected Health InformationCleaning Hard Drives to the HIPAA Standard Prior
to Disposal or Donation
|
|
With increasing pressure to reduce costs and the availability of new methods to resell computers, businesses are looking for ways to either internally recycle their aging computer inventory or sell them into a growing used computer market. It is not unusual to find companies reselling their excess equipment on Internet sites such as eBay. However, in all cases there is a requirement to remove all of the PHI data stored on the computer before its disposal.
Data Storage Basics
To understand the challenges of data removal, you must first understand the basics of data storage. There are fundamentally two ways of retaining data in the PC, RAM memory and disk, principally the hard drive. Initially, before a hard drive can be used it has to be conditioned to accept information. This occurs in two steps. Using FDISK will establish the areas on the drive and how they are going to be used. Formatting sets up an environment on the disk so that the operating system can store and access files from the drive. The misconception is that these steps can also be used to remove any existing information.
Myths about Data Removal
Myth #1 – I can just empty my recycle bin
As many users will already know, when a file is deleted with a delete command, it is not really removed; it just goes to the Recycle Bin. Once the recycle bin is emptied, it is gone, right? Unfortunately, no, it isn’t. The operating system makes the disk space available for future use. New data will overwrite the unused information. Until it is overwritten, the previous data can easily be recovered.
When the drive is reformatted the utility will merely rewrite the information that is used to locate the files on the drive. Essentially, it will tell the operating system that there are no files and that all of the space on the disk is free. Until the operating system comes along and writes new data over the old, the original data still exists.
Myth #2 – I can just run FDISK on the drive again
In the case of an FDISK operation, all of the information that is needed to locate the data from the operating system is removed. But as in the reformatting case, the original data is still there in its rawest of forms. Tools are readily available which will extract large portions of data even though the disk is presumed clean.
The Bottom Line
None of the standard tools described above will remove the bulk of the data contained on the hard drive. The only solution to ensure that the information on the hard drive is removed is to either physically destroy the drive itself, or write over all of the existing data so that it cannot be recovered.
US Department of Defense (DOD) 5220.22-M Standard
There has been a standard in place for some time that addresses the problem of permanent removal of data from a hard drive. The standard was developed by the Defense Security Service (DSS) and is used by many federal and commercial organizations. Under the National Industrial Security Program (NISP), DSS Industrial Security Representatives oversee cleared contractor facilities and assist the organizations' management staff and Facility Security Officers in formulating their security programs. As part of the NISP initiative, DSS has developed the DOD standard 5220.22-M NATIONAL INDUSTRIAL SECURITY PROGRAM OPERATING MANUAL. Among other items, the standard outlines the method to be used for removing data from unclassified hard drives – sanitizing. NISP defines an overwriting technique that will remove any existing data yet leave the hard drive in a state where it can be reused. The process involves the following two steps:
- Before any sanitization product is acquired, careful analysis
to the overall costs associated with overwrite/sanitization should
be made. Depending on the contractor’s environment, the size of
the drive and the differences in the individual products time
to perform the sanitization, destruction of the media might be
the preferred (i.e., economical) sanitization method.
- Overwrite all addressable locations with a character, then its complement. Verify “complement” character was written successfully to all addressable locations, then overwrite all addressable locations with random characters; or verify third overwrite of random characters. Overwrite utility must write/read to “growth” defect list/sectors or disk must be mapped before initial classified use and remapped before sanitization. Difference in the comparison lists must be discussed with the DSS Industrial Security Representative (IS Rep) and/or Information System Security Professional (ISSP) before declassification. Note: Overwrite utilities must be authorized by DSS before use.
Other Considerations when Choosing a Disk Sanitizing Product
In addition to meeting the process defined by the DOD 5220.22-M standard there are some other important criteria that should be taken into consideration before selecting a product.
BIOS independence
Part of the PC hardware contains the BIOS (basic input/output system) program. Older BIOSs can return an incorrect disk size when it is not compatible with a newer larger hard drive. This is not noticed during normal operation as the flaw is automatically corrected by the operating system. However if the sanitizing product is not independent of the BIOS, then it will only remove the data from part of the hard drive as reported by the BIOS. This will result in data being left behind on the disk, which could be PHI data.
Hard drive standard compatibility
There are two predominant standards for hard drive technology used by personal computers today. One is IDE and the other is SCSI. The sanitizing utility should be able to sanitize either drive type
Size compatibility
As hard drive sizes continue to increase, it is important to verify that the sanitizing product is able to address the larger drives. Hard drive sizes have already exceeded the 100 gigabyte limit. Many products are not yet capable of handling this size of drive.
Reporting
An important part of the HIPAA regulation is accounting. There needs to be a record that all of the software that was on the drive has been removed. This will allow the software to be legally re-used on another computer. By having a record that all company information has been removed, the drive can then be safely resold outside of the company.
Summary
As computer systems become faster and cheaper, the desire to replace them in the workplace will result in the need to dispose of the obsolete equipment. Although this equipment may not meet the needs of the business there is a thriving market, especially for personal use, for reselling it.
However, it is important that no PHI or software is lost in this transaction. If this occurs the impact can range from inconvenience, public embarrassment, fiscal damage or violations of HIPAA requirements. The DOD standard 2550.22-M provides a good, proven framework for designing a digital data disposal process. This can be augmented by some other considerations that are not currently included in the standard to help select the right sanitizing product. This will result in meeting the goal of retiring obsolete equipment and recovering any residual value while not compromising digital data security.
Steve Hardwick is Director of Product Management, Infraworks. Infraworks is a provider of software and services designed to protect digital files and sensitive business information that is accessible inside and outside of an organization. He can be contacted at hardwick@infraworks.com.
Go to TOP
