WannaCry is just the start. Read how Liquid Web is protecting itself and its customers against new threats.
Course Of The Month
6 days, 8 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
Anyone know what HIPAA requires when donating machines?
Posted on 2011-03-21
Hi All,
We have a medium size medical group who is upgrading their equipment and would like to donate their old computers and servers to a charity we work with. This is a great idea as the local charities we work with have great causes. However, we need to determine what HIPAA requires when the machines once contained patient information because once they end up at the charity who knows who will get their hands on them. You would think this would be easy to find, but most Google searches produced websites that were pretty vague.
Anyone have a link to useful information? For example, is a DBAN autonuke enough? Is Degaussing required, can the machines and hard drives NOT be re-used and must be physically destroyed after data erase is complete?
Question is being posed for servers, desktops, and external drives as all wish to be donated.
Thanks!
We have a medium size medical group who is upgrading their equipment and would like to donate their old computers and servers to a charity we work with. This is a great idea as the local charities we work with have great causes. However, we need to determine what HIPAA requires when the machines once contained patient information because once they end up at the charity who knows who will get their hands on them. You would think this would be easy to find, but most Google searches produced websites that were pretty vague.
Anyone have a link to useful information? For example, is a DBAN autonuke enough? Is Degaussing required, can the machines and hard drives NOT be re-used and must be physically destroyed after data erase is complete?
Question is being posed for servers, desktops, and external drives as all wish to be donated.
Thanks!
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
6-
6
3- +1
16 Comments
See if this helps: http://medicalnewswire.com/artman/publish/hipaa.shtml
For DBAN, autonuke should be sufficient since it is a 3 pass wipe.
For DBAN, autonuke should be sufficient since it is a 3 pass wipe.
Active 5 days ago
I'm a fan of BCwipe. It's very affordable and offers the required DOD wiping protocol. From Jetico's website:
"BCWipe complies with U.S. Department of Defense (DoD 5220.22-M) standard..."
And rest assured, once modern hard drives have been wiped using a tool like that, the data is forever gone.
"BCWipe complies with U.S. Department of Defense (DoD 5220.22-M) standard..."
And rest assured, once modern hard drives have been wiped using a tool like that, the data is forever gone.
Thanks. So it seems while some people give ideas, there is no set rule of what HIPAA requires?
ChopOMatic, how does BCWipe compare to dban?
ChopOMatic, how does BCWipe compare to dban?
Active today
The privacy and security rule in HIPPA are quite relevant in the scenario. The Privacy Rule pertains to all Protected Health Information (PHI) including paper and electronic, the Security Rule deals specifically with Electronic Protected Health Information (EPHI). There are safeguards to ensure with the existence of the PHI and EPHI.
@ http://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act#Security_Rule
In particular, you would want to note this
- Administrative Safeguards: Covered entities that out-source some of their business processes to a third party must ensure that their vendors also have a framework in place to comply with HIPAA requirements. Companies typically gain this assurance through clauses in the contracts stating that the vendor will meet the same data protection requirements that apply to the covered entity. Care must be taken to determine if the vendor further out-sources any data handling functions to other vendors and monitor whether appropriate contracts and controls are in place.
- Physical Safeguards: Controls must govern the introduction and removal of hardware and software from the network. (When equipment is retired it must be disposed of properly to ensure that PHI is not compromised.)
- Technical Safeguards: Each covered entity is responsible for ensuring that the data within its systems has not been changed or erased in an unauthorized manner.
Overall, there should be recording of the erasure procedure and executed by authorised personnel. Actually if data erasure does not occur when a disk is retired or lost, an organization or user faces that possibility that data will be stolen and compromised, leading to identity theft, loss of corporate reputation, threats to regulatory compliance and financial impacts. It may implicate to other federal laws beside HIPPA, such as Sarbanes-Oxley, Graham-Leach-Bliley or other state laws. That would be further emphasized based on user data type
Nonetheless, I will say that to go for the charity efforts, we will just have to ensure the HDD does not have the traces of the PHI and EPHI not found and there are assurances (trust but verify procedure logged) complied, then it may not be subjected to HIPPA. But the procedure for handling need to be audit as well (esp for future investigation if there are foul play) - best is to adhere to company data handling procedure and have HIPPA as the overarching rule where applicable.
The key is then to ensure there are proper data santisation and importantly, sensitive data traces are securely wiped and not recoverable forensically. These of course need to be authorised and not be abused. Also based on classification of the data, degaussing and physical destruction is necessary. Degaussing often renders hard disks inoperable, as it erases low-level formatting that is only done at the factory during manufacturing. In your case, you are probably going for secure wiping and erasure
Some standards to check out in below link
@ http://en.wikipedia.org/wiki/Data_remanence#Standards
NIST DoD 5220.22-M is quite well recognised and supported in the erasure tool such as BCWipe and Eraser (http://eraser.heidi.ie/). The U.S. DOD specification 5220.22 standard says a file must be overwritten three times. Also understand that DBAN is using Gutmann wipe instead. It would be best to use those recognised by the NIST for Enterprise purpose if you want to stay with conformity. I know I am a bit more on the paranoid side but better if the product has already claimed conformity to certain standard.
Also good to note that
a) the effectiveness of the overwrite procedure may be reduced by several factors: ineffectiveness of the overwrite procedures, equipment failure (e.g., misalignment of read/write heads), or inability to overwrite bad sectors or tracks or information in inter-record gaps.
b) Three techniques are commonly used for media sanitization: overwriting, degaussing, and destruction. Overwriting and degaussing are the methods recommended for disposition of sensitive automated information.
In term of software, you may want to check out this correspondence
@ http://www.experts-exchange.com/Storage/Misc/Q_26896045.html
@ http://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act#Security_Rule
In particular, you would want to note this
- Administrative Safeguards: Covered entities that out-source some of their business processes to a third party must ensure that their vendors also have a framework in place to comply with HIPAA requirements. Companies typically gain this assurance through clauses in the contracts stating that the vendor will meet the same data protection requirements that apply to the covered entity. Care must be taken to determine if the vendor further out-sources any data handling functions to other vendors and monitor whether appropriate contracts and controls are in place.
- Physical Safeguards: Controls must govern the introduction and removal of hardware and software from the network. (When equipment is retired it must be disposed of properly to ensure that PHI is not compromised.)
- Technical Safeguards: Each covered entity is responsible for ensuring that the data within its systems has not been changed or erased in an unauthorized manner.
Overall, there should be recording of the erasure procedure and executed by authorised personnel. Actually if data erasure does not occur when a disk is retired or lost, an organization or user faces that possibility that data will be stolen and compromised, leading to identity theft, loss of corporate reputation, threats to regulatory compliance and financial impacts. It may implicate to other federal laws beside HIPPA, such as Sarbanes-Oxley, Graham-Leach-Bliley or other state laws. That would be further emphasized based on user data type
Nonetheless, I will say that to go for the charity efforts, we will just have to ensure the HDD does not have the traces of the PHI and EPHI not found and there are assurances (trust but verify procedure logged) complied, then it may not be subjected to HIPPA. But the procedure for handling need to be audit as well (esp for future investigation if there are foul play) - best is to adhere to company data handling procedure and have HIPPA as the overarching rule where applicable.
The key is then to ensure there are proper data santisation and importantly, sensitive data traces are securely wiped and not recoverable forensically. These of course need to be authorised and not be abused. Also based on classification of the data, degaussing and physical destruction is necessary. Degaussing often renders hard disks inoperable, as it erases low-level formatting that is only done at the factory during manufacturing. In your case, you are probably going for secure wiping and erasure
Some standards to check out in below link
@ http://en.wikipedia.org/wiki/Data_remanence#Standards
NIST DoD 5220.22-M is quite well recognised and supported in the erasure tool such as BCWipe and Eraser (http://eraser.heidi.ie/). The U.S. DOD specification 5220.22 standard says a file must be overwritten three times. Also understand that DBAN is using Gutmann wipe instead. It would be best to use those recognised by the NIST for Enterprise purpose if you want to stay with conformity. I know I am a bit more on the paranoid side but better if the product has already claimed conformity to certain standard.
Also good to note that
a) the effectiveness of the overwrite procedure may be reduced by several factors: ineffectiveness of the overwrite procedures, equipment failure (e.g., misalignment of read/write heads), or inability to overwrite bad sectors or tracks or information in inter-record gaps.
b) Three techniques are commonly used for media sanitization: overwriting, degaussing, and destruction. Overwriting and degaussing are the methods recommended for disposition of sensitive automated information.
In term of software, you may want to check out this correspondence
@ http://www.experts-exchange.com/Storage/Misc/Q_26896045.html
Active 5 days ago
Jsmply, BCwipe will give you more control over the process than DBAN IMHO. You can specify the drives to wipe, the type of wiping to use, etc., making sure that you do it in a way that conforms to the HIPAA requirements. In a purely practical sense, any decent wiping app will do the job and no matter what they depict from Hollywood, a single pass wipe irrevocably destroys the data on modern hard drives. That said, government rules being what they are, if it were me I would want to use an established commercial tool that would allow me to comply with the governmental rules down to the letter.
Active today
thought it is best to route such effort within the medical community or at least know if there is any precedence as reference. I believe the relevant government official (or service desk) can help at least. If not joining into open HIPPA forum and polling feedback will help too
@ http://www.hipaasecurityandprivacy.com/2009/11/hipaa-forum.html
@ http://www.hipaasecurityandprivacy.com/2009/11/hipaa-forum.html
Active 5 days ago
Well, it's hard to imagine anyone -- even government bureaucrats -- finding fault with wiping to DOD standards. Still, I do understand your desire to find concrete info to embrace as for requirements.
Active today
agree with chopomatic. NIST is very much recognised and doubt there will be challenge as it is well accepted on their recommended best practices. of course other regulation are good references. the key is to what extend or degree the santisation should be employed for such reuse, for some highly sensitive data (some vvip, etc), it may not even be acceptable for reuse....
Thanks, so NIST dod wipe from dban or bcwipe should be the same, correct? We may end up disposing of the hard drives anyway, will leave it up to the donors.
Active today
In DBAN FAQ, it states that it will not issue a statement of conformity for DBAN because it would be construed as a warranty or promise. But it wiping algorithm list include DoD 5220-22.M though. But I trust it does fulfill it as it is widely used in govt and public organization. However, if you need paper confirmation, probably commercial software will be a better choice e.g. bcwipe (see also third link below for other choices).
@ http://www.dban.org/node/52
@ http://www.brighthub.com/computing/smb-security/reviews/33207.aspx
@ http://www.auburn.edu/oit/it_policies/edd_dod_compliant_apps.php
@ http://www.dban.org/node/52
@ http://www.brighthub.com/computing/smb-security/reviews/33207.aspx
@ http://www.auburn.edu/oit/it_policies/edd_dod_compliant_apps.php
Thanks all. Sorry for the delayed response. Did a lot more digging, it's kind of frustrating since it never really has a concrete answer anywhere. Almost seems purposely vague on what you "need" to do.
Active today
no mandate though best to seek advice on govt support arm or related mentor agency. nonetheless, if the hdd is securely clean, it should be consider as empty or as original state.
Active today
yes, rightfully need to forensic verify to make sure those s/w cannot get back those data as much as possible. know there is getdataback, file inspector, etc. at least, those secure wipe tool will erase and wipe the hdd to make it more difficult to retrieve and using nist std. think that has shown due care and diligence already.
Featured Post
With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
This article is an update and follow-up of my previous article: Storage 101: common concepts in the IT enterprise storage
This time, I expand on more frequently used storage concepts.
In this article we will learn how to backup a VMware farm using Nakivo Backup & Replication. In this tutorial we will install the software on a Windows 2012 R2 Server.
This video teaches viewers how to encrypt an external drive that requires a password to read and edit the drive. All tasks are done in Disk Utility.
Plug in the external drive you wish to encrypt:
Make sure all previous data on the drive has been …
This Micro Tutorial will teach you how to reformat your flash drive. Sometimes your flash drive may have issues carrying files so this will completely restore it to manufacturing settings. Make sure to backup all files before reformatting.
This w…
Suggested Courses
Course of the Month6 days, 8 hours left to enroll
724 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.