Computer Hope
Software => Computer software => Topic started by: Mjryan37 on September 11, 2013, 06:05:47 PM
-
I work for a small ompany that occasionally receives computers that have Protected Health Information (PHI). Our current process is using DBAN or Killdisk to do a three pass overwrite and verification pass (DoD 5220 M). I am wondering if anyone else has experience with how to erase hard drives in a way that complies with all government regulations? We are going to be a covered entity which exposes us to external govt audits.
I've done a lot of research and issuing the secure erase command (built in to all ATA drives since 2001) is both faster and more efficient than ANY block overwrote utility. It even says so in the NIST SP 800-88 document titled "Guidelines for Media Sanitization." However, it DOES NOT reccomend a specific program to issue the command with. So far I've
Found two that are free, HDDErase 4.0 and Parted Magic. Does anyone know if using freeware programs to issue SE is HIPAA/HITECH compliant ? I've seen one other software program (Blancco) that costs money but it explicitly states it complies with all govt standards. It also is capable
Of keeping detailed records for audit purposes.
Does anyone know which governing body establishes the rules for wiping HDDs with PHI on them. I assume it is the NIST but I am no legal expert.
-
No. 8)
How would anybody who does free software pay for a -
government certification?
But, maybe you could contact these people a end ask for a free sample.
http://www.eraser.com/eraser-certification-program/
http://www.cyberscrub.com/topics/certified_file_deletion.php
http://www.whitecanyon.com/wipedrive-niap-certification
What happens to the drives after your wipe them clean? Are the drives resold?
What does your insurance company say?
-
The Drives are scrapped NOT RESOLD. Do you have experience using secure erase? It was developed by the center for magnetic recording research and sponsored by the NSA so essentially it was a govt funded program and that's why their tool (HDDERASE.exe) is FREE. Other utilities cost money for additional features. Hirens boot CD is free and it includes both methods of secure erase (hdparm). Parted magic used to be free but now it's $4.99 but its got a whole bunch of other programs on it as well.
I like this site's explanation best.
http://www.esecurityplanet.com/windows-security/how-to-securely-delete-data-from-hard-drives.html
Do you or anyone else know if the NIST Special Publication 800-88 is what "officially" establishes the guidelines for hard drive sanitization to comply with HIPAA? Which govt body/organization establishes the
Methods of purging PHI data from hard drives?
-
I personally seriously doubt any Freeware app would pass and /or qualify under the constraints you have laid out...
It's the Government...think about that for a second...
P.S. Any reason you need to know this info ? ? 'cause it's readily available...
-
If the drives are into be scrapped, erasing them is pointless. The platters are soft material and can be readily mutilated beyond recovery of data.
...Liquid Technology’s secure data destruction services meet or exceed all industry-specific regulations, including:
FACTA (Fair and Accurate Credit Transactions Act)
GLB (Gramm-Leach Bliley) – banking and financial institutions
HIPPA (Health Insurance Portability and Accountability Act) – the healthcare industry
PCI DSS (PCI Data Security Standard)
SOX (The Sarbanes-Oxley Act)
CAL SB1386 (The California Information Practice Act)
EDIT: This is not a recommendation. You can find 'Liquid Technology' and similar companies in a Google search. The have a short video on the web site. They just grind drives to to bits, no data recovery possible.
-
If the drives are into be scrapped, erasing them is pointless. The platters are soft material and can be readily mutilated beyond recovery of data...
DoD used to require both. It has been changed.
http://www.destructdata.com/dod-5220-erasure-standard.html
"...As of the June 2007 edition of the DSS C&SM, overwriting is no longer acceptable for sanitization of magnetic media; only degaussing or physical destruction is acceptable..."
-
Computer_Commando, thanks for the link and clarification.
Can you take an old are welder for degaussing (magnetically erase) a hard drive?