WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!
Solved
Anyone know what HIPAA requires when donating machines?
Posted on 2011-03-21
Hi All,
We have a medium size medical group who is upgrading their equipment and would like to donate their old computers and servers to a charity we work with. This is a great idea as the local charities we work with have great causes. However, we need to determine what HIPAA requires when the machines once contained patient information because once they end up at the charity who knows who will get their hands on them. You would think this would be easy to find, but most Google searches produced websites that were pretty vague.
Anyone have a link to useful information? For example, is a DBAN autonuke enough? Is Degaussing required, can the machines and hard drives NOT be re-used and must be physically destroyed after data erase is complete?
Question is being posed for servers, desktops, and external drives as all wish to be donated.
Thanks!
We have a medium size medical group who is upgrading their equipment and would like to donate their old computers and servers to a charity we work with. This is a great idea as the local charities we work with have great causes. However, we need to determine what HIPAA requires when the machines once contained patient information because once they end up at the charity who knows who will get their hands on them. You would think this would be easy to find, but most Google searches produced websites that were pretty vague.
Anyone have a link to useful information? For example, is a DBAN autonuke enough? Is Degaussing required, can the machines and hard drives NOT be re-used and must be physically destroyed after data erase is complete?
Question is being posed for servers, desktops, and external drives as all wish to be donated.
Thanks!
6-
6
3- +1
16 Comments
See if this helps: http://medicalnewswire.com/artman/publish/hipaa.shtml
For DBAN, autonuke should be sufficient since it is a 3 pass wipe.
For DBAN, autonuke should be sufficient since it is a 3 pass wipe.
I'm a fan of BCwipe. It's very affordable and offers the required DOD wiping protocol. From Jetico's website:
"BCWipe complies with U.S. Department of Defense (DoD 5220.22-M) standard..."
And rest assured, once modern hard drives have been wiped using a tool like that, the data is forever gone.
"BCWipe complies with U.S. Department of Defense (DoD 5220.22-M) standard..."
And rest assured, once modern hard drives have been wiped using a tool like that, the data is forever gone.
Thanks. So it seems while some people give ideas, there is no set rule of what HIPAA requires?
ChopOMatic, how does BCWipe compare to dban?
ChopOMatic, how does BCWipe compare to dban?
Active today
The privacy and security rule in HIPPA are quite relevant in the scenario. The Privacy Rule pertains to all Protected Health Information (PHI) including paper and electronic, the Security Rule deals specifically with Electronic Protected Health Information (EPHI). There are safeguards to ensure with the existence of the PHI and EPHI.
@ http://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act#Security_Rule
In particular, you would want to note this
- Administrative Safeguards: Covered entities that out-source some of their business processes to a third party must ensure that their vendors also have a framework in place to comply with HIPAA requirements. Companies typically gain this assurance through clauses in the contracts stating that the vendor will meet the same data protection requirements that apply to the covered entity. Care must be taken to determine if the vendor further out-sources any data handling functions to other vendors and monitor whether appropriate contracts and controls are in place.
- Physical Safeguards: Controls must govern the introduction and removal of hardware and software from the network. (When equipment is retired it must be disposed of properly to ensure that PHI is not compromised.)
- Technical Safeguards: Each covered entity is responsible for ensuring that the data within its systems has not been changed or erased in an unauthorized manner.
Overall, there should be recording of the erasure procedure and executed by authorised personnel. Actually if data erasure does not occur when a disk is retired or lost, an organization or user faces that possibility that data will be stolen and compromised, leading to identity theft, loss of corporate reputation, threats to regulatory compliance and financial impacts. It may implicate to other federal laws beside HIPPA, such as Sarbanes-Oxley, Graham-Leach-Bliley or other state laws. That would be further emphasized based on user data type
Nonetheless, I will say that to go for the charity efforts, we will just have to ensure the HDD does not have the traces of the PHI and EPHI not found and there are assurances (trust but verify procedure logged) complied, then it may not be subjected to HIPPA. But the procedure for handling need to be audit as well (esp for future investigation if there are foul play) - best is to adhere to company data handling procedure and have HIPPA as the overarching rule where applicable.
The key is then to ensure there are proper data santisation and importantly, sensitive data traces are securely wiped and not recoverable forensically. These of course need to be authorised and not be abused. Also based on classification of the data, degaussing and physical destruction is necessary. Degaussing often renders hard disks inoperable, as it erases low-level formatting that is only done at the factory during manufacturing. In your case, you are probably going for secure wiping and erasure
Some standards to check out in below link
@ http://en.wikipedia.org/wiki/Data_remanence#Standards
NIST DoD 5220.22-M is quite well recognised and supported in the erasure tool such as BCWipe and Eraser (http://eraser.heidi.ie/). The U.S. DOD specification 5220.22 standard says a file must be overwritten three times. Also understand that DBAN is using Gutmann wipe instead. It would be best to use those recognised by the NIST for Enterprise purpose if you want to stay with conformity. I know I am a bit more on the paranoid side but better if the product has already claimed conformity to certain standard.
Also good to note that
a) the effectiveness of the overwrite procedure may be reduced by several factors: ineffectiveness of the overwrite procedures, equipment failure (e.g., misalignment of read/write heads), or inability to overwrite bad sectors or tracks or information in inter-record gaps.
b) Three techniques are commonly used for media sanitization: overwriting, degaussing, and destruction. Overwriting and degaussing are the methods recommended for disposition of sensitive automated information.
In term of software, you may want to check out this correspondence
@ http://www.experts-exchange.com/Storage/Misc/Q_26896045.html
@ http://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act#Security_Rule
In particular, you would want to note this
- Administrative Safeguards: Covered entities that out-source some of their business processes to a third party must ensure that their vendors also have a framework in place to comply with HIPAA requirements. Companies typically gain this assurance through clauses in the contracts stating that the vendor will meet the same data protection requirements that apply to the covered entity. Care must be taken to determine if the vendor further out-sources any data handling functions to other vendors and monitor whether appropriate contracts and controls are in place.
- Physical Safeguards: Controls must govern the introduction and removal of hardware and software from the network. (When equipment is retired it must be disposed of properly to ensure that PHI is not compromised.)
- Technical Safeguards: Each covered entity is responsible for ensuring that the data within its systems has not been changed or erased in an unauthorized manner.
Overall, there should be recording of the erasure procedure and executed by authorised personnel. Actually if data erasure does not occur when a disk is retired or lost, an organization or user faces that possibility that data will be stolen and compromised, leading to identity theft, loss of corporate reputation, threats to regulatory compliance and financial impacts. It may implicate to other federal laws beside HIPPA, such as Sarbanes-Oxley, Graham-Leach-Bliley or other state laws. That would be further emphasized based on user data type
Nonetheless, I will say that to go for the charity efforts, we will just have to ensure the HDD does not have the traces of the PHI and EPHI not found and there are assurances (trust but verify procedure logged) complied, then it may not be subjected to HIPPA. But the procedure for handling need to be audit as well (esp for future investigation if there are foul play) - best is to adhere to company data handling procedure and have HIPPA as the overarching rule where applicable.
The key is then to ensure there are proper data santisation and importantly, sensitive data traces are securely wiped and not recoverable forensically. These of course need to be authorised and not be abused. Also based on classification of the data, degaussing and physical destruction is necessary. Degaussing often renders hard disks inoperable, as it erases low-level formatting that is only done at the factory during manufacturing. In your case, you are probably going for secure wiping and erasure
Some standards to check out in below link
@ http://en.wikipedia.org/wiki/Data_remanence#Standards
NIST DoD 5220.22-M is quite well recognised and supported in the erasure tool such as BCWipe and Eraser (http://eraser.heidi.ie/). The U.S. DOD specification 5220.22 standard says a file must be overwritten three times. Also understand that DBAN is using Gutmann wipe instead. It would be best to use those recognised by the NIST for Enterprise purpose if you want to stay with conformity. I know I am a bit more on the paranoid side but better if the product has already claimed conformity to certain standard.
Also good to note that
a) the effectiveness of the overwrite procedure may be reduced by several factors: ineffectiveness of the overwrite procedures, equipment failure (e.g., misalignment of read/write heads), or inability to overwrite bad sectors or tracks or information in inter-record gaps.
b) Three techniques are commonly used for media sanitization: overwriting, degaussing, and destruction. Overwriting and degaussing are the methods recommended for disposition of sensitive automated information.
In term of software, you may want to check out this correspondence
@ http://www.experts-exchange.com/Storage/Misc/Q_26896045.html
Jsmply, BCwipe will give you more control over the process than DBAN IMHO. You can specify the drives to wipe, the type of wiping to use, etc., making sure that you do it in a way that conforms to the HIPAA requirements. In a purely practical sense, any decent wiping app will do the job and no matter what they depict from Hollywood, a single pass wipe irrevocably destroys the data on modern hard drives. That said, government rules being what they are, if it were me I would want to use an established commercial tool that would allow me to comply with the governmental rules down to the letter.
Active today
thought it is best to route such effort within the medical community or at least know if there is any precedence as reference. I believe the relevant government official (or service desk) can help at least. If not joining into open HIPPA forum and polling feedback will help too
@ http://www.hipaasecurityandprivacy.com/2009/11/hipaa-forum.html
@ http://www.hipaasecurityandprivacy.com/2009/11/hipaa-forum.html
Well, it's hard to imagine anyone -- even government bureaucrats -- finding fault with wiping to DOD standards. Still, I do understand your desire to find concrete info to embrace as for requirements.
Active today
agree with chopomatic. NIST is very much recognised and doubt there will be challenge as it is well accepted on their recommended best practices. of course other regulation are good references. the key is to what extend or degree the santisation should be employed for such reuse, for some highly sensitive data (some vvip, etc), it may not even be acceptable for reuse....
Thanks, so NIST dod wipe from dban or bcwipe should be the same, correct? We may end up disposing of the hard drives anyway, will leave it up to the donors.
Active today
In DBAN FAQ, it states that it will not issue a statement of conformity for DBAN because it would be construed as a warranty or promise. But it wiping algorithm list include DoD 5220-22.M though. But I trust it does fulfill it as it is widely used in govt and public organization. However, if you need paper confirmation, probably commercial software will be a better choice e.g. bcwipe (see also third link below for other choices).
@ http://www.dban.org/node/52
@ http://www.brighthub.com/computing/smb-security/reviews/33207.aspx
@ http://www.auburn.edu/oit/it_policies/edd_dod_compliant_apps.php
@ http://www.dban.org/node/52
@ http://www.brighthub.com/computing/smb-security/reviews/33207.aspx
@ http://www.auburn.edu/oit/it_policies/edd_dod_compliant_apps.php
Thanks all. Sorry for the delayed response. Did a lot more digging, it's kind of frustrating since it never really has a concrete answer anywhere. Almost seems purposely vague on what you "need" to do.
Active today
no mandate though best to seek advice on govt support arm or related mentor agency. nonetheless, if the hdd is securely clean, it should be consider as empty or as original state.
Active today
yes, rightfully need to forensic verify to make sure those s/w cannot get back those data as much as possible. know there is getdataback, file inspector, etc. at least, those secure wipe tool will erase and wipe the hdd to make it more difficult to retrieve and using nist std. think that has shown due care and diligence already.
Featured Post
Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.
One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.
Question has a verified solution.
Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.
Have a better answer? Share it in a comment.
Join & Write a Comment Already a member? Login.
Compliance and data security require steps be taken to prevent unauthorized users from copying data. Here's one method to prevent data theft via USB drives (and writable optical media).
It all started with a phone call. The then acting director of the Office of Research Computing, called to ask me to remotely shutdown my computer, it was Yom Kippur, Wednesday October 12, 2016.
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target.
To install the necessary roles, go to Server Manager, and select Add Roles and Featu…
This Micro Tutorial will teach you how to reformat your flash drive. Sometimes your flash drive may have issues carrying files so this will completely restore it to manufacturing settings. Make sure to backup all files before reformatting.
This w…
Suggested Courses
Course of the Month11 days, 15 hours left to enroll
606 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.