|
Disposing of devices that contain protected health information (PHI) requires
planning and utilization of proper techniques. It is widely known that data
stored on hard drives used by laptop and desktop computers can easily be recovered.
These issues present themselves during computer migration where old computers
are replaced with new computers. Old computers are often donated, sold to end
users outside your organization, picked up by recycling companies, or simply
left for the trash collectors to pick up. Protected health information (PHI)
on these devices, in addition to USB memory sticks, USB drives, and server
hard drives can easily be accessed by unauthorized individuals. Proper
data disposal must be planned and executed. ExperiorData can help
in all aspects of data disposal of storage devices to avoid breach notification as specified in section 13402 of ARRA
File Level Disposal
File-level disposal software can be installed on laptop and desktop computers
usually as part of a whole disk encryption package. When files are "deleted"
using delete or "waste baskets" inside Microsoft Windows or Apple Mac OS the
directory entry for that file is deleted, but the data still remains on the
hard drive. It can be restored using off the shelf software widely available
on the Internet and in data forensics tools. File level disposal is called
file shredding. Rather than moving files to a wastebasket icon inside Windows
or Mac OS, you move files to a special "shredder" icon, which permanently
deletes the file by overwriting the data on the hard drive, thereby making
it permanently unrecoverable. This typically applies to working computers
and not ones that are being imminently replaced.
Hard Drive Disposal
There are several methods of disposing of hard drives:
- Manually overwriting data on the hard drive with random data.
This is done using data erasing software. However, this could be
very time consuming if its necessary to erase many hard drives and
may not be practical.
- Degaussing is a performed by using an electronic device to apply
a magnetic field in very close proximity to the storage media. The
magnetic field randomizes the magnetic alignment of "magnetic domains"
inside the storage media, thereby making the storage media unreadable.
Degaussers should be tested by the National Security Agency to ensure
the have been tested for maximum performance (NSA/CSS-EPL-9-12A-B).
Degaussers are also subject to several risks, including magnetic
remanence – data that is not erased due to operator or degausser
error. Also, you will still need to properly dispose of the degaussed
storage media.
- Mechanical shredding or destruction of storage media is the most
effective method of both disposing of storage media and ensuring that
data is unrecoverable. Machines can either drill a hole into the media or
literally shred the media using an industrial shredding system to completely
destroy the media.
- Electronic media must be disposed in accordance with NIST Special Publication 800-88, "Guidelines for Media Sanitation."
The HITECH Act, as part of the American Recovery and Reinvestment Act (ARRA),
encourages the mitigation of threats to improper data disposal by requiring
various levels of notification following a breach of unsecured protected
health information (PHI). If PHI is rendered unusable, unreadable, or
indecipherable to unauthorized individuals then such information is not
unsecured PHI, and therefore may not be subject to breach notifications
directed by the HITECH Act.
ExperiorData Solutions: Experior has the capabilities to destroy
media using all three methods. The actual method used is determined on a case-by-case
basis taking into account time and cost involved in the destruction of data.
|
