Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.
Course Of The Month
7 days, 11 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
Anyone know what HIPAA requires when donating machines?
Posted on 2011-03-21
Hi All,
We have a medium size medical group who is upgrading their equipment and would like to donate their old computers and servers to a charity we work with. This is a great idea as the local charities we work with have great causes. However, we need to determine what HIPAA requires when the machines once contained patient information because once they end up at the charity who knows who will get their hands on them. You would think this would be easy to find, but most Google searches produced websites that were pretty vague.
Anyone have a link to useful information? For example, is a DBAN autonuke enough? Is Degaussing required, can the machines and hard drives NOT be re-used and must be physically destroyed after data erase is complete?
Question is being posed for servers, desktops, and external drives as all wish to be donated.
Thanks!
We have a medium size medical group who is upgrading their equipment and would like to donate their old computers and servers to a charity we work with. This is a great idea as the local charities we work with have great causes. However, we need to determine what HIPAA requires when the machines once contained patient information because once they end up at the charity who knows who will get their hands on them. You would think this would be easy to find, but most Google searches produced websites that were pretty vague.
Anyone have a link to useful information? For example, is a DBAN autonuke enough? Is Degaussing required, can the machines and hard drives NOT be re-used and must be physically destroyed after data erase is complete?
Question is being posed for servers, desktops, and external drives as all wish to be donated.
Thanks!
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
6-
6
3- +1
16 Comments
See if this helps: http://medicalnewswire.com/artman/publish/hipaa.shtml
For DBAN, autonuke should be sufficient since it is a 3 pass wipe.
For DBAN, autonuke should be sufficient since it is a 3 pass wipe.
I'm a fan of BCwipe. It's very affordable and offers the required DOD wiping protocol. From Jetico's website:
"BCWipe complies with U.S. Department of Defense (DoD 5220.22-M) standard..."
And rest assured, once modern hard drives have been wiped using a tool like that, the data is forever gone.
"BCWipe complies with U.S. Department of Defense (DoD 5220.22-M) standard..."
And rest assured, once modern hard drives have been wiped using a tool like that, the data is forever gone.
Thanks. So it seems while some people give ideas, there is no set rule of what HIPAA requires?
ChopOMatic, how does BCWipe compare to dban?
ChopOMatic, how does BCWipe compare to dban?
Active today
The privacy and security rule in HIPPA are quite relevant in the scenario. The Privacy Rule pertains to all Protected Health Information (PHI) including paper and electronic, the Security Rule deals specifically with Electronic Protected Health Information (EPHI). There are safeguards to ensure with the existence of the PHI and EPHI.
@ http://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act#Security_Rule
In particular, you would want to note this
- Administrative Safeguards: Covered entities that out-source some of their business processes to a third party must ensure that their vendors also have a framework in place to comply with HIPAA requirements. Companies typically gain this assurance through clauses in the contracts stating that the vendor will meet the same data protection requirements that apply to the covered entity. Care must be taken to determine if the vendor further out-sources any data handling functions to other vendors and monitor whether appropriate contracts and controls are in place.
- Physical Safeguards: Controls must govern the introduction and removal of hardware and software from the network. (When equipment is retired it must be disposed of properly to ensure that PHI is not compromised.)
- Technical Safeguards: Each covered entity is responsible for ensuring that the data within its systems has not been changed or erased in an unauthorized manner.
Overall, there should be recording of the erasure procedure and executed by authorised personnel. Actually if data erasure does not occur when a disk is retired or lost, an organization or user faces that possibility that data will be stolen and compromised, leading to identity theft, loss of corporate reputation, threats to regulatory compliance and financial impacts. It may implicate to other federal laws beside HIPPA, such as Sarbanes-Oxley, Graham-Leach-Bliley or other state laws. That would be further emphasized based on user data type
Nonetheless, I will say that to go for the charity efforts, we will just have to ensure the HDD does not have the traces of the PHI and EPHI not found and there are assurances (trust but verify procedure logged) complied, then it may not be subjected to HIPPA. But the procedure for handling need to be audit as well (esp for future investigation if there are foul play) - best is to adhere to company data handling procedure and have HIPPA as the overarching rule where applicable.
The key is then to ensure there are proper data santisation and importantly, sensitive data traces are securely wiped and not recoverable forensically. These of course need to be authorised and not be abused. Also based on classification of the data, degaussing and physical destruction is necessary. Degaussing often renders hard disks inoperable, as it erases low-level formatting that is only done at the factory during manufacturing. In your case, you are probably going for secure wiping and erasure
Some standards to check out in below link
@ http://en.wikipedia.org/wiki/Data_remanence#Standards
NIST DoD 5220.22-M is quite well recognised and supported in the erasure tool such as BCWipe and Eraser (http://eraser.heidi.ie/). The U.S. DOD specification 5220.22 standard says a file must be overwritten three times. Also understand that DBAN is using Gutmann wipe instead. It would be best to use those recognised by the NIST for Enterprise purpose if you want to stay with conformity. I know I am a bit more on the paranoid side but better if the product has already claimed conformity to certain standard.
Also good to note that
a) the effectiveness of the overwrite procedure may be reduced by several factors: ineffectiveness of the overwrite procedures, equipment failure (e.g., misalignment of read/write heads), or inability to overwrite bad sectors or tracks or information in inter-record gaps.
b) Three techniques are commonly used for media sanitization: overwriting, degaussing, and destruction. Overwriting and degaussing are the methods recommended for disposition of sensitive automated information.
In term of software, you may want to check out this correspondence
@ http://www.experts-exchange.com/Storage/Misc/Q_26896045.html
@ http://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act#Security_Rule
In particular, you would want to note this
- Administrative Safeguards: Covered entities that out-source some of their business processes to a third party must ensure that their vendors also have a framework in place to comply with HIPAA requirements. Companies typically gain this assurance through clauses in the contracts stating that the vendor will meet the same data protection requirements that apply to the covered entity. Care must be taken to determine if the vendor further out-sources any data handling functions to other vendors and monitor whether appropriate contracts and controls are in place.
- Physical Safeguards: Controls must govern the introduction and removal of hardware and software from the network. (When equipment is retired it must be disposed of properly to ensure that PHI is not compromised.)
- Technical Safeguards: Each covered entity is responsible for ensuring that the data within its systems has not been changed or erased in an unauthorized manner.
Overall, there should be recording of the erasure procedure and executed by authorised personnel. Actually if data erasure does not occur when a disk is retired or lost, an organization or user faces that possibility that data will be stolen and compromised, leading to identity theft, loss of corporate reputation, threats to regulatory compliance and financial impacts. It may implicate to other federal laws beside HIPPA, such as Sarbanes-Oxley, Graham-Leach-Bliley or other state laws. That would be further emphasized based on user data type
Nonetheless, I will say that to go for the charity efforts, we will just have to ensure the HDD does not have the traces of the PHI and EPHI not found and there are assurances (trust but verify procedure logged) complied, then it may not be subjected to HIPPA. But the procedure for handling need to be audit as well (esp for future investigation if there are foul play) - best is to adhere to company data handling procedure and have HIPPA as the overarching rule where applicable.
The key is then to ensure there are proper data santisation and importantly, sensitive data traces are securely wiped and not recoverable forensically. These of course need to be authorised and not be abused. Also based on classification of the data, degaussing and physical destruction is necessary. Degaussing often renders hard disks inoperable, as it erases low-level formatting that is only done at the factory during manufacturing. In your case, you are probably going for secure wiping and erasure
Some standards to check out in below link
@ http://en.wikipedia.org/wiki/Data_remanence#Standards
NIST DoD 5220.22-M is quite well recognised and supported in the erasure tool such as BCWipe and Eraser (http://eraser.heidi.ie/). The U.S. DOD specification 5220.22 standard says a file must be overwritten three times. Also understand that DBAN is using Gutmann wipe instead. It would be best to use those recognised by the NIST for Enterprise purpose if you want to stay with conformity. I know I am a bit more on the paranoid side but better if the product has already claimed conformity to certain standard.
Also good to note that
a) the effectiveness of the overwrite procedure may be reduced by several factors: ineffectiveness of the overwrite procedures, equipment failure (e.g., misalignment of read/write heads), or inability to overwrite bad sectors or tracks or information in inter-record gaps.
b) Three techniques are commonly used for media sanitization: overwriting, degaussing, and destruction. Overwriting and degaussing are the methods recommended for disposition of sensitive automated information.
In term of software, you may want to check out this correspondence
@ http://www.experts-exchange.com/Storage/Misc/Q_26896045.html
Jsmply, BCwipe will give you more control over the process than DBAN IMHO. You can specify the drives to wipe, the type of wiping to use, etc., making sure that you do it in a way that conforms to the HIPAA requirements. In a purely practical sense, any decent wiping app will do the job and no matter what they depict from Hollywood, a single pass wipe irrevocably destroys the data on modern hard drives. That said, government rules being what they are, if it were me I would want to use an established commercial tool that would allow me to comply with the governmental rules down to the letter.
Active today
thought it is best to route such effort within the medical community or at least know if there is any precedence as reference. I believe the relevant government official (or service desk) can help at least. If not joining into open HIPPA forum and polling feedback will help too
@ http://www.hipaasecurityandprivacy.com/2009/11/hipaa-forum.html
@ http://www.hipaasecurityandprivacy.com/2009/11/hipaa-forum.html
Well, it's hard to imagine anyone -- even government bureaucrats -- finding fault with wiping to DOD standards. Still, I do understand your desire to find concrete info to embrace as for requirements.
Active today
agree with chopomatic. NIST is very much recognised and doubt there will be challenge as it is well accepted on their recommended best practices. of course other regulation are good references. the key is to what extend or degree the santisation should be employed for such reuse, for some highly sensitive data (some vvip, etc), it may not even be acceptable for reuse....
Thanks, so NIST dod wipe from dban or bcwipe should be the same, correct? We may end up disposing of the hard drives anyway, will leave it up to the donors.
Active today
In DBAN FAQ, it states that it will not issue a statement of conformity for DBAN because it would be construed as a warranty or promise. But it wiping algorithm list include DoD 5220-22.M though. But I trust it does fulfill it as it is widely used in govt and public organization. However, if you need paper confirmation, probably commercial software will be a better choice e.g. bcwipe (see also third link below for other choices).
@ http://www.dban.org/node/52
@ http://www.brighthub.com/computing/smb-security/reviews/33207.aspx
@ http://www.auburn.edu/oit/it_policies/edd_dod_compliant_apps.php
@ http://www.dban.org/node/52
@ http://www.brighthub.com/computing/smb-security/reviews/33207.aspx
@ http://www.auburn.edu/oit/it_policies/edd_dod_compliant_apps.php
Thanks all. Sorry for the delayed response. Did a lot more digging, it's kind of frustrating since it never really has a concrete answer anywhere. Almost seems purposely vague on what you "need" to do.
Active today
no mandate though best to seek advice on govt support arm or related mentor agency. nonetheless, if the hdd is securely clean, it should be consider as empty or as original state.
Active today
yes, rightfully need to forensic verify to make sure those s/w cannot get back those data as much as possible. know there is getdataback, file inspector, etc. at least, those secure wipe tool will erase and wipe the hdd to make it more difficult to retrieve and using nist std. think that has shown due care and diligence already.
Featured Post
We value your feedback.
Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
Suggested Solutions
| Title | # Comments | Views | Activity |
|---|---|---|---|
| IIS components | 2 | 65 | |
| TSM error: ANS1151E '\\vwarpasvctx02\g$' is not a cluster disk. on a cluster environment. | 16 | 99 | |
| HP MSA2312i Controller fault | 4 | 56 | |
| RAID 5 with Three Hard Drives | 26 | 120 |
When we purchase storage, we typically are advertised storage of 500GB, 1TB, 2TB and so on. However, when you actually install it into your computer, your 500GB HDD will actually show up as 465GB. Why?
It has to do with the way people and computers…
In this article we will learn how to backup a VMware farm using Nakivo Backup & Replication. In this tutorial we will install the software on a Windows 2012 R2 Server.
This video teaches viewers how to encrypt an external drive that requires a password to read and edit the drive. All tasks are done in Disk Utility.
Plug in the external drive you wish to encrypt:
Make sure all previous data on the drive has been …
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target.
To install the necessary roles, go to Server Manager, and select Add Roles and Featu…
Suggested Courses
Course of the Month7 days, 11 hours left to enroll
737 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.