Solved

Anyone know what HIPAA requires when donating machines?

Posted on 2011-03-21
16
868 Views
Last Modified: 2012-05-11
Hi All,

We have a medium size medical group who is upgrading their equipment and would like to donate their old computers and servers to a charity we work with.  This is a great idea as the local charities we work with have great causes.  However, we need to determine what HIPAA requires when the machines once contained patient information because once they end up at the charity who knows who will get their hands on them.  You would think this would be easy to find, but most Google searches produced websites that were pretty vague.  

Anyone have a link to useful information?  For example, is a DBAN autonuke enough?  Is Degaussing required, can the machines and hard drives NOT be re-used and must be physically destroyed after data erase is complete?

Question is being posed for servers, desktops, and external drives as all wish to be donated.

Thanks!
0
Comment
Question by:Jsmply
  • 6
  • 6
  • 3
  • +1
16 Comments
 
LVL 32

Assisted Solution

by:willcomp
willcomp earned 125 total points
ID: 35186717
See if this helps: http://medicalnewswire.com/artman/publish/hipaa.shtml

For DBAN, autonuke should be sufficient since it is a 3 pass wipe.
0
 
LVL 5

Assisted Solution

by:ChopOMatic
ChopOMatic earned 125 total points
ID: 35186876
I'm a fan of BCwipe. It's very affordable and offers the required DOD wiping protocol. From Jetico's website:

"BCWipe complies with U.S. Department of Defense (DoD 5220.22-M) standard..."

And rest assured, once modern hard drives have been wiped using a tool like that, the data is forever gone.
0
 

Author Comment

by:Jsmply
ID: 35191334
Thanks.  So it seems while some people give ideas, there is no set rule of what HIPAA requires?

ChopOMatic, how does BCWipe compare to dban?
0
 
LVL 61

Accepted Solution

by:
btan earned 250 total points
ID: 35220970
The privacy and security rule in HIPPA are quite relevant in the scenario. The Privacy Rule pertains to all Protected Health Information (PHI) including paper and electronic, the Security Rule deals specifically with Electronic Protected Health Information (EPHI). There are safeguards to ensure with the existence of the PHI and EPHI.

@ http://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act#Security_Rule

In particular, you would want to note this

- Administrative Safeguards: Covered entities that out-source some of their business processes to a third party must ensure that their vendors also have a framework in place to comply with HIPAA requirements. Companies typically gain this assurance through clauses in the contracts stating that the vendor will meet the same data protection requirements that apply to the covered entity. Care must be taken to determine if the vendor further out-sources any data handling functions to other vendors and monitor whether appropriate contracts and controls are in place.

- Physical Safeguards: Controls must govern the introduction and removal of hardware and software from the network. (When equipment is retired it must be disposed of properly to ensure that PHI is not compromised.)

- Technical Safeguards: Each covered entity is responsible for ensuring that the data within its systems has not been changed or erased in an unauthorized manner.

Overall, there should be recording of the erasure procedure and executed by authorised personnel. Actually if data erasure does not occur when a disk is retired or lost, an organization or user faces that possibility that data will be stolen and compromised, leading to identity theft, loss of corporate reputation, threats to regulatory compliance and financial impacts. It may implicate to other federal laws beside HIPPA, such as Sarbanes-Oxley, Graham-Leach-Bliley or other state laws. That would be further emphasized based on user data type

Nonetheless, I will say that to go for the charity efforts, we will just have to ensure the HDD does not have the traces of the PHI and EPHI not found and there are assurances (trust but verify procedure logged) complied, then it may not be subjected to HIPPA. But the procedure for handling need to be audit as well (esp for future investigation if there are foul play) - best is to adhere to company data handling procedure and have HIPPA as the overarching rule where applicable.

The key is then to ensure there are proper data santisation and importantly, sensitive data traces are securely wiped and not recoverable forensically. These of course need to be authorised and not be abused. Also based on classification of the data, degaussing and physical destruction is necessary. Degaussing often renders hard disks inoperable, as it erases low-level formatting that is only done at the factory during manufacturing. In your case, you are probably going for secure wiping and erasure

Some standards to check out in below link

@ http://en.wikipedia.org/wiki/Data_remanence#Standards

NIST DoD 5220.22-M is quite well recognised and supported in the erasure tool such as BCWipe and Eraser (http://eraser.heidi.ie/). The U.S. DOD specification 5220.22 standard says a file must be overwritten three times. Also understand that DBAN is using Gutmann wipe instead. It would be best to use those recognised by the NIST for Enterprise purpose if you want to stay with conformity. I know I am a bit more on the paranoid side but better if the product has already claimed conformity to certain standard.

Also good to note that
a) the effectiveness of the overwrite procedure may be reduced by several factors: ineffectiveness of the overwrite procedures, equipment failure (e.g., misalignment of read/write heads), or inability to overwrite bad sectors or tracks or information in inter-record gaps.

b) Three techniques are commonly used for media sanitization: overwriting, degaussing, and destruction. Overwriting and degaussing are the methods recommended for disposition of sensitive automated information.

In term of software, you may want to check out this correspondence
@ http://www.experts-exchange.com/Storage/Misc/Q_26896045.html
0
 
LVL 5

Expert Comment

by:ChopOMatic
ID: 35221023
Jsmply, BCwipe will give you more control over the process than DBAN IMHO. You can specify the drives to wipe, the type of wiping to use, etc., making sure that you do it in a way that conforms to the HIPAA requirements. In a purely practical sense, any decent wiping app will do the job and no matter what they depict from Hollywood, a single pass wipe irrevocably destroys the data on modern hard drives. That said, government rules being what they are, if it were me I would want to use an established commercial tool that would allow me to comply with the governmental rules down to the letter.
0
 

Author Comment

by:Jsmply
ID: 35221373
Thanks. Only issue there is we can't find any definitive answer to what they actually require.
0
 
LVL 61

Expert Comment

by:btan
ID: 35221407
thought it is best to route such effort within the medical community or at least know if there is any precedence as reference. I believe the relevant government official (or service desk) can help at least. If not joining into open HIPPA forum and polling feedback will help too
@ http://www.hipaasecurityandprivacy.com/2009/11/hipaa-forum.html
0
 
LVL 5

Expert Comment

by:ChopOMatic
ID: 35222447
Well, it's hard to imagine anyone -- even government bureaucrats -- finding fault with wiping to DOD standards. Still, I do understand your desire to find concrete info to embrace as for requirements.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 61

Expert Comment

by:btan
ID: 35222516
agree with chopomatic. NIST is very much recognised and doubt there will be challenge as it is well accepted on their recommended best practices. of course other regulation are good references. the key is to what extend or degree the santisation should be employed for such reuse, for some highly sensitive data (some vvip, etc), it may not even be acceptable for reuse....
0
 

Author Comment

by:Jsmply
ID: 35223720
Thanks, so NIST dod wipe from dban or bcwipe should be the same, correct?  We may end up disposing of the hard drives anyway, will leave it up to the donors.
0
 
LVL 61

Expert Comment

by:btan
ID: 35224894
In DBAN FAQ, it states that it will not issue a statement of conformity for DBAN because it would be construed as a warranty or promise. But it wiping algorithm list include DoD 5220-22.M though. But I trust it does fulfill it as it is widely used in govt and public organization. However, if you need paper confirmation, probably commercial software will be a better choice e.g. bcwipe (see also third link below for other choices).

@ http://www.dban.org/node/52
@ http://www.brighthub.com/computing/smb-security/reviews/33207.aspx
@ http://www.auburn.edu/oit/it_policies/edd_dod_compliant_apps.php
0
 

Author Comment

by:Jsmply
ID: 35379716
Thanks all.  Sorry for the delayed response.  Did a lot more digging, it's kind of frustrating since it never really has a concrete answer anywhere.  Almost seems purposely vague on what you "need" to do.
0
 
LVL 61

Expert Comment

by:btan
ID: 35383063
no mandate though best to seek advice on govt support arm or related mentor agency. nonetheless, if the hdd is securely clean, it should be consider as empty or as original state.
0
 

Author Comment

by:Jsmply
ID: 35397332
And by securely clean, you mean using a software like NIST, DBAN, etc for the standard 3 pass wipe?  
0
 
LVL 61

Expert Comment

by:btan
ID: 35397758
yes, rightfully need to forensic verify to make sure those s/w cannot get back those data as much as possible. know there is getdataback, file inspector, etc. at least, those secure wipe tool will erase and wipe the hdd to make it more difficult to retrieve and using nist std. think that has shown due care and diligence already.
0
 

Author Closing Comment

by:Jsmply
ID: 35398723
Thx!  if anyone comes up with any more relevant answers or real life scenarios, I'd be very interested!
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Backup folder managed by open source CMS 2 55
Refurbished 16 55
EXCH 2007 VM and DEDUPE 13 69
SQL in a VM performance question 18 100
The foremost challenge encountered by an investigator at the very beginning of a forensics investigation is, accessing a file/data to read/view its contents. Owing to the fact, a platform is necessary for both; opening as well as examining any file.…
Having issues meeting security compliance criteria because of those pesky USB drives? Then I can help you! This article will explain how to disable USB Mass Storage devices in Windows Server 2008 R2.
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…
This Micro Tutorial will teach you how to reformat your flash drive. Sometimes your flash drive may have issues carrying files so this will completely restore it to manufacturing settings. Make sure to backup all files before reformatting. This w…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now