I work for a small ompany that occasionally receives computers that have Protected Health Information (PHI). Our current process is using DBAN or Killdisk to do a three pass overwrite and verification pass (DoD 5220 M). I am wondering if anyone else has experience with how to erase hard drives in a way that complies with all government regulations? We are going to be a covered entity which exposes us to external govt audits.
I've done a lot of research and issuing the secure erase command (built in to all ATA drives since 2001) is both faster and more efficient than ANY block overwrote utility. It even says so in the NIST SP 800-88 document titled "Guidelines for Media Sanitization." However, it DOES NOT reccomend a specific program to issue the command with. So far I've
Found two that are free, HDDErase 4.0 and Parted Magic. Does anyone know if using freeware programs to issue SE is HIPAA/HITECH compliant ? I've seen one other software program (Blancco) that costs money but it explicitly states it complies with all govt standards. It also is capable
Of keeping detailed records for audit purposes.
Does anyone know which governing body establishes the rules for wiping HDDs with PHI on them. I assume it is the NIST but I am no legal expert.