Jsmply
asked on
Anyone know what HIPAA requires when donating machines?
Hi All,
We have a medium size medical group who is upgrading their equipment and would like to donate their old computers and servers to a charity we work with. This is a great idea as the local charities we work with have great causes. However, we need to determine what HIPAA requires when the machines once contained patient information because once they end up at the charity who knows who will get their hands on them. You would think this would be easy to find, but most Google searches produced websites that were pretty vague.
Anyone have a link to useful information? For example, is a DBAN autonuke enough? Is Degaussing required, can the machines and hard drives NOT be re-used and must be physically destroyed after data erase is complete?
Question is being posed for servers, desktops, and external drives as all wish to be donated.
Thanks!
We have a medium size medical group who is upgrading their equipment and would like to donate their old computers and servers to a charity we work with. This is a great idea as the local charities we work with have great causes. However, we need to determine what HIPAA requires when the machines once contained patient information because once they end up at the charity who knows who will get their hands on them. You would think this would be easy to find, but most Google searches produced websites that were pretty vague.
Anyone have a link to useful information? For example, is a DBAN autonuke enough? Is Degaussing required, can the machines and hard drives NOT be re-used and must be physically destroyed after data erase is complete?
Question is being posed for servers, desktops, and external drives as all wish to be donated.
Thanks!
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Jsmply, BCwipe will give you more control over the process than DBAN IMHO. You can specify the drives to wipe, the type of wiping to use, etc., making sure that you do it in a way that conforms to the HIPAA requirements. In a purely practical sense, any decent wiping app will do the job and no matter what they depict from Hollywood, a single pass wipe irrevocably destroys the data on modern hard drives. That said, government rules being what they are, if it were me I would want to use an established commercial tool that would allow me to comply with the governmental rules down to the letter.
ASKER
Thanks. Only issue there is we can't find any definitive answer to what they actually require.
thought it is best to route such effort within the medical community or at least know if there is any precedence as reference. I believe the relevant government official (or service desk) can help at least. If not joining into open HIPPA forum and polling feedback will help too
@ http://www.hipaasecurityandprivacy.com/2009/11/hipaa-forum.html
@ http://www.hipaasecurityandprivacy.com/2009/11/hipaa-forum.html
Well, it's hard to imagine anyone -- even government bureaucrats -- finding fault with wiping to DOD standards. Still, I do understand your desire to find concrete info to embrace as for requirements.
agree with chopomatic. NIST is very much recognised and doubt there will be challenge as it is well accepted on their recommended best practices. of course other regulation are good references. the key is to what extend or degree the santisation should be employed for such reuse, for some highly sensitive data (some vvip, etc), it may not even be acceptable for reuse....
ASKER
Thanks, so NIST dod wipe from dban or bcwipe should be the same, correct? We may end up disposing of the hard drives anyway, will leave it up to the donors.
In DBAN FAQ, it states that it will not issue a statement of conformity for DBAN because it would be construed as a warranty or promise. But it wiping algorithm list include DoD 5220-22.M though. But I trust it does fulfill it as it is widely used in govt and public organization. However, if you need paper confirmation, probably commercial software will be a better choice e.g. bcwipe (see also third link below for other choices).
@ http://www.dban.org/node/52
@ http://www.brighthub.com/computing/smb-security/reviews/33207.aspx
@ http://www.auburn.edu/oit/it_policies/edd_dod_compliant_apps.php
@ http://www.dban.org/node/52
@ http://www.brighthub.com/computing/smb-security/reviews/33207.aspx
@ http://www.auburn.edu/oit/it_policies/edd_dod_compliant_apps.php
ASKER
Thanks all. Sorry for the delayed response. Did a lot more digging, it's kind of frustrating since it never really has a concrete answer anywhere. Almost seems purposely vague on what you "need" to do.
no mandate though best to seek advice on govt support arm or related mentor agency. nonetheless, if the hdd is securely clean, it should be consider as empty or as original state.
ASKER
And by securely clean, you mean using a software like NIST, DBAN, etc for the standard 3 pass wipe?
yes, rightfully need to forensic verify to make sure those s/w cannot get back those data as much as possible. know there is getdataback, file inspector, etc. at least, those secure wipe tool will erase and wipe the hdd to make it more difficult to retrieve and using nist std. think that has shown due care and diligence already.
ASKER
Thx! if anyone comes up with any more relevant answers or real life scenarios, I'd be very interested!
ASKER
ChopOMatic, how does BCWipe compare to dban?