워드프레스에 오신 것을 환영합니다. 이것은 첫 게시물입니다. 수정하거나 삭제하고 글쓰기를 시작하세요!
Secudrive Drive Eraser
워드프레스에 오신 것을 환영합니다. 이것은 첫 게시물입니다. 수정하거나 삭제하고 글쓰기를 시작하세요!
Advances in technology and the emergence of new data storage devices have led that data destruction has become a more complex issue because there are new aspects to it. This blog summarizes the current trends in data destruction.
Flash memory-based data storage devices with high capacity, small size, and fast data processing speed are now available. They have different physical properties than traditional magnetic hard drives. Even magnetic hard drives have changed—they have higher capacity and different physical properties than previous ones. Flash memory-based data storage devices exist in various forms, such as USB flash drives, external hard drives, etc. They are also built into laptops, tablets, and smartphones. In addition, large amounts of data are now stored in cloud systems, which sometimes need to be wiped clean as needs are. Data destruction processes need to be adapted to suit the newest data storage models.
As data storage devices diversify and technology advances, it is no longer possible to define a media sanitization method as a standard for all. In the United States, DoD 5220.22-M, which was recommended as the standard for disk-wiping algorithms, is officially no longer valid. NIST SP 800.88 Rev. 1, titled “Guidelines for Media Sanitization”, has taken its place. This document defines three categories of media sanitization: clear, purge, and destroy. It also provides minimum requirements and guidelines for each media sanitization category and each storage device. Every organization should refer to it to establish and implement its own media sanitization policies and procedures.
For the latest magnetic hard drives, the Guttman method (35-pass overwrites) and the DoD method (3- or 7-pass overwrites), which have long been recognized as international de facto standards, are no longer needed. Studies show that one-pass overwrite is sufficient. With the use of much higher density than in the past, the likelihood of recovering the original information using a magnetic force microscope is diminished. Indeed, there have been no reported cases of anyone using this manner to recover overwritten data. Nevertheless, many organizations are still using old overwrite standards, even though it seems like a ‘traditional ritual,’ which is an overkill.
Flash memory-based data storage devices, such as SSDs, provide dedicated sanitize commands which write and erase significantly faster than overwrite methods in magnetic hard drives. Overwriting flash-memory-based data storage devices dramatically shortens their lifespan. Also, the physical storage area that stores the actual data and the logical storage area that can be accessed by the software are distinct, so even if the software overwrites something on the drive, the old data may remain in a different area. The user needs to know the available commands for each storage device, to make sure every storage area of the device is wiped clean.
CE encrypts stored data and removes the encryption key, making the data irrecoverable. This process is faster and more efficient than erasing data, and CE is a good method to sanitize partial data in the cloud system as well. However, to use CE one must ensure that all encryption keys have been deleted completely and that all data has been encrypted. In addition, NIST SP 800.88 recommends that users consider the following when deciding whether to use CE: 1) whether encryption keys are generated in a proper manner, 2) whether the encryption the media to protect the data is strong enough, and 3) whether the security level of the encryption key and the wrapping technique are appropriate for the CE. In a nutshell, CE can be very efficient if used correctly, but it is difficult to verify that it has worked.
A degausser cannot wipe out all storage devices. Flash-memory-based storage devices, for example, cannot take advantage of a degausser because their data is not damaged by magnetic shock. Some of the latest magnetic hard drives also have high coercivity, so data managers should make sure that their existing degausser actually works on the device they wish to erase.
The higher the density of a flash memory chip, the greater the chance of data recovery, unless it is shredded into pieces that are much smaller than the original device. In addition, since the flash memory chip is very hard, it is easy to damage the grinder, which may need a replacement of its parts or of the entire machine. Finally, physical destruction can generate harmful substances that must be handled carefully. Overall, the cost of physical destruction has been increasing.
NIST 800.88 recommends selecting a data erasure method according to three categories (clear, purge, and destroy) depending on the confidentiality of the data and whether the device is reused or controlled in the organization. As a result, organizations need to be selective and capable of different erasure methods, including software wiping, degaussing, and physical destruction.
It is widely recommended to have clearly defined software-wiping policies and procedures in an organization. For maximum security and convenience, organizations should undertake software wiping before reusing storage devices, even for devices that are slated for complete disposal. Outsourcing the entire data destruction process increases the likelihood of data leakage because the storage device must pass through the hands of several people before the data is erased completely. Thus, software wiping, which is less expensive than degaussing or physical destruction, is an essential requirement in an organization.
Secudrive Drive Eraser provides suitable sanitization and verification methods for a variety of media. It provides ATA commands for SSDs as well as overwriting of magnetic disks. The hexadecimal view verifies the data before and after wiping. Furthermore, after the deletion, logs on computers, storage media, and wiping information are automatically generated. The logs can then be output as tamper-resistant reports and stored in various file formats for easy integration in the organization’s IT asset management system.
NIST SP 800-88 Rev. 1, Guidelines for Media Sanitization, can be summarized as follows: 1) the purpose and scope of the document, 2) the new trends in storage media, sanitization technology, and associated issues, 3) three types of media sanitization, and 4) information sanitization and disposal decision making. This blog omits roles and responsibilities relating to media sanitization in an organization, which is contained in Chapter 3 of the document. In order to give you a general understanding of this document, this blog post is a brief summary. It is recommended to read the full guidelines if you want to understand it thoroughly.
NIST (National Institute of Standards and Technologies) released its Special Publication 800-88 Rev. 1, Guidelines for Media Sanitization, which was revised from its original edition of 2006. The guideline has been a new standard for media sanitization in organizations ranging from public to private, from the US to other countries. It is also known as ‘NIST SP 800-88,’ or ‘NIST 800-88.’
Whereas ‘DoD wipe standard’ is a standard method for wiping hard disk drives, NIST 800-88 is simply guidelines for organizations. The guidelines cover media from papers to servers and sanitization methods from overwrite to shredding. The article states that the objective is “to assist with decision making when media require disposal, reuse, or will be leaving the effective control of an organization. Organizations should develop and use local policies and procedures in conjunction with this guide to make effective, risk-based decisions on the ultimate sanitization and/or disposition of media and information.”
You can shred paper to sanitize it. However, the sanitization of electronic storage media is more complex. In particular, new technological methods are needed for sanitizing emerging storage media.
This document defines three categories of media sanitization:
Appendix A, Minimum Sanitization Recommendations for each media type, states that ‘clear’ can be accomplished by software wiping, ‘purge’ can be done by software wiping and degaussing, and ‘destroy’ can be physical destruction, for most magnetic media and flash memory-based storage devices.
The document offers suggestions for how to choose one of the above technique categories for sanitizing and disposing of media. (See the below flow chart.)
The appendices of this document are full of practical information as follows: 1) The minimum sanitization recommendations for each media, 2) tools and resources relating to media sanitization, 3) cryptographic erase device guidelines, 4) device-specific characteristics of interest, and 5) a sample “certificate of sanitization” form.
In conclusion, the document is intended to help organizations make decisions to establish policies and procedures on how to sanitize the media. It also provides detailed minimum requirements and checklists on how to achieve three different types of sanitization, such as clear, purge, and destroy, depending on the nature of the media. Therefore, according to the guidelines presented in the document, organizations should create media sanitization policies and procedures to abide by the specific data protection regulations that organizations should follow. However, it is challenging for general users to obtain all the characteristics of all storage media from vendors and to have the verification method as the guidelines suggest.
Sanitization software can automatically adopt suitable wiping methods for specific media as well as provide automatic verification methods. Secudrive Drive Eraser provides suitable sanitization and verification methods for a variety of media. It provides ATA commands for SSDs as well as overwrite for magnetic disks. The hexadecimal view verifies the data before and after wiping. Furthermore, after the deletion, logs such as computers, storage media, and wiping information are automatically generated. The logs can then be output as tamper-resistant reports and stored in various file formats for easy integration with the organization’s IT asset management system. For more, see our blog post on how to use Secudrive Drive Eraser for HIPAA compliance.
The DoD 5220.22-M data wipe method has long been widely used by organizations as a standard for data erasure. This blog discusses what DoD 5220.22-M is, recent issues relating to it, and its applications.
The DoD 5220.22-M data wipe method is a software-based process to overwrite existing information on a hard drive or other storage with patterns of ones and zeros to make the original data irrecoverable.
This method is typically implemented in the following manner:
In 1995, the above DoD 3-pass method for data erasure was first published in US Department of Defense document #5220.22-M. In 2001, a 7-pass method, DoD 5220.22-M ECE, was added in a DoD memo. The most recent version, released in 2006, no longer specified the standard data erasure method. Thus, in other words, both the usual 3- and enhanced 7-pass methods are not accepted by the US Department of Defense anymore.
However, ‘the DoD wipe method’ is still the most common method of erasing data that many public institutions and companies around the world trust and use.
Conventional magnetic hard disks have matching physical-logical addresses. That is, the logical address specified when writing data to an HDD corresponds to the physical location on the disk platter of the HDD. However, this is no longer true for flash memory-based storage devices. Such a device typically has at least 20 percent or more physical capacity than its logical one. Further, the device’s firmware opaquely determines where data are written physically, for the technical characteristics of flash-memory. As a result, remnant data may be available to a sophisticated attacker even after overwriting on the entire storage has been performed. Therefore, many Solid State Drive (SSD)-based storage media support dedicated wipe commands, whereas the software-based overwrite method can only be used for magnetic type hard drives.
some researchers have demonstrated that a single overwriting is enough to prevent data from being recovered (Gordon Hughes and Tom Coughlin, Craig Wright et al). Due to technological advances, the one-pass method is recognized as being sufficient, improving the efficiency of sanitizing operation by saving time. Finally, in 2014, NIST SP 800-88 Rev. 1 states that “for storage device containing magnetic media, a single overwrite pass with a fixed pattern such as binary zeros typically hinders recovery of data even if state of the art laboratory techniques are applied to attempt to retrieve the data.” Not everyone agrees on this approach, and many still prefer to overwrite several times. However, it is also true that the consciousness of having to overwrite three or seven times has disappeared.
‘NIST special publication 800-88 revision 1, Guidelines for media sanitization’ was released in 2014. The guidelines reflect more up-to-date media and sanitization technologies and also provide more detailed consideration of all sanitization methods such as wiping, degaussing, and physical destruction according to each media as well. Since 2014, regulations have cited the guidelines rather than the DoD standard.
The guidelines have become a comprehensive standard for data erasure in the US since their publication. They define three categories of media sanitization as follows:
– Clear applies logical techniques to sanitize data in all user-addressable storage locations for protection against simple non-invasive data recovery techniques; typically applied through the standard Read and Write commands to the storage devices. (wiping)
– Purge applies physical or logical techniques that render Target Data recovery infeasible using state of the art laboratory techniques. (wiping, degaussing)
– Destroy renders Target Data recovery infeasible using state of the art laboratory techniques and results in the subsequent inability to use the media for storage of data. (physical destruction)
The guidelines provide detailed media sanitization methods that meet the characteristics of each storage media for each category. According to the confidentiality level of stored data, organizations should prepare and implement policies and procedures by combining wiping, degaussing, and physical destruction for media sanitization, when they reuse or dispose of the media.
The DoD 5022.22-M data wipe method is still the most widely used approach. It can often still be required by an organization’s policy or regulations. The method still works for HDDs, although it may be overkill. Sometimes, however, the method, as well as any other data wipe method based on overwrite, has an apparent limit for flash memory-based storage devices, including SSDs. SSDs must be erased using dedicated firmware command, according to the NIST guideline.
Secudrive Drive Eraser supports ATA (Advanced Technology Attachment) command for SSD sanitization as well as more than 20 international erasure standard algorithms including the DoD standard for magnetic hard disk wiping. It also provides logs and reports, which may be used later to confirm that a storage device has indeed been sanitized by a specific method. The logs and reports can be easily integrated with IT asset management systems. As a result, Secudrive Drive Eraser helps you easily to abide by the Guidelines for Media Sanitization in the system life cycle.
The HIPAA (The Health Insurance Portability and Accountability Act) strictly regulates covered entities not to disclose PHI (Protected Health Information) to the unauthorized public, in the process of the creation, storage, transmission of PHI.
PHI includes almost all information on a patient:
1) any identifying information about a patient as an individual, including his or her name, phone number, email address, social number, health insurance subscriber number, credit card information, photographs, etc.
2) a patient’s medical information, including medical conditions, prescriptions, x-ray image, blood test report, etc.
Noncompliance may result in fines that range between $100 and $50,000 per violation “of the same provision” per the calendar year. Many OCR (The Office of Civil Rights) HIPAA settlements have resulted in fines of over $1 million. The largest settlement as of September 2016 was for $5.5 million, levied against Advocate Health Care, stemming from several breaches that affected a total of 4 million individuals.
Many cite ‘Improper Disposal of PHI’ as one of the top 10 most common HIPAA violations.
Employees inadvertently throw away documents in the trash, or dispose of USB drives, external hard drives, or computers, causing frequent PHI leaks.
PHI printed on paper can be easily disposed of by shredding in a document shredder. However, complete deleting ePHI (electronic Protected Health Information), PHI stored in a computer, is not simple: Even if you run ‘delete’ or ‘format’ command to erase the information on Windows, the information can be easily recovered. Besides, the storage device stores the most information just before disposal, so if you dispose of the device without data destruction, you will encounter a tremendous amount of information leakage accident.
Standard §164.310(d)(1) Device and Media Controls, in HHS HIPAA Security Series 3: Security Standards – Physical Safeguards, regulates that covered entity must “implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored,” and “implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use.” It also gives three methods of ePHI data destruction, as examples, for the data to be unusable and/or inaccessible: erasure software, degaussing, and physical destruction.
Secudrive Drive Eraser can completely erase data stored on computer hard drives, USB flash drives, external hard drives, and SSDs, as one of the erasure software solutions. The solution supports about 23 international standard algorithms. The software comes in a USB flash drive, plugging the USB flash drive into the computer and clicking the executable file makes the data deletion process very easy. It’s easy enough for non-IT professionals to run it on Windows. The results of data wiping are saved back to USB in the form of logs and reports. You can use tamper-proof reports as evidence of HIPAA compliance.
Data destruction service providers often perform degaussing and physical destruction methods because of physical tasks such as removing the hard disk from the computer. If you outsource the service, there is a risk of loss or theft during shipping or storage. It cost relatively expensive as well. Secudrive Drive Eraser could be one of the best options due to cost-effectiveness as well as security.
Data wiping with Secudrive Drive Eraser makes it logically unrecoverable by repeatedly overwriting zeros, ones, or random numbers on the disk where the original data resided. It uses internationally recognized standard data erasure algorithms so that it can be recognized as completely deleted, just like physical destruction. Therefore, it allows you to comply with various data protection regulations with that companies and organizations must comply.
Secudrive Drive Eraser
On User’s Desks
Where to erase
Move After Erase
Move and Destruction
Data Breach Risk
Relatively High During
IT Asset Management
Easy Integration with
More cost-effective: wiped drives can be resold, reused, or donated.
You can resell, reuse, or donate wiped hard drives, while physical destruction makes the hard drive industrial waste. It is also common that the price of erasure software is generally significantly lower than the cost of physical destruction services. Besides, It is eco-friendly because it does not cause industrial waste, including toxic substances.
More secure: fewer handlers, fewer locations, and tamper-proof reports enhance security
Companies use data destruction service providers for physical destruction. IT department collects disposed computers that still have the unwiped date and store them in an inhouse warehouse or somewhere. Then a data destruction service provider moves the machines into a workplace with physical destruction equipment like a shredder. Then workers at data destruction service companies punch or shred the disks or computers. Since physical destruction is cumbersome to be done in the company’s office, the data is inevitably destroyed after carrying by various hands through various places. Possibility of theft or loss, in other words, data leakage risk, increases.
Recently, more and more companies have introduced data wiping instead of physical destruction for data destruction. Secudrive Drive Eraser is easy enough for the companies to be done in the office. Even general users can wipe their own disks by themselves on their desks, or IT personnel can wipe computers gathered to an in-house IT department. Security vulnerabilities are much reduced by minimizing the number of transfers, storage, and related parties.
Finally, it is convenient to record data destruction operations. It is essential to record data destruction to prepare for post audits under various security regulations. Pictures or videos are the only way to record physical destruction work. There is also the possibility of forgery and alteration. However, the wiping software automatically collects information on computer, disk, and erasure operation. It also creates tamper-proof reports.
IT managers can manage disk wiping operations remotely with the logs and reports. The logs and reports can also be easily integrated with the company’s asset management solution.
We launched Secudrive Drive Eraser, a new USB-type secure data erasure solution for businesses, into the market on July 21.
Secudrive Drive Eraser is an improvement and a replacement of existing Secudrive Sanitizer Portable. The new solution provides a more convenient user interface and user-friendly functions for various applications from small businesses to large enterprises or data destruction service companies.
Easy Operation. Secudrive Drive Eraser makes it possible to completely erase all data, including the operating system by running the .exe file in Windows login state. This feature enables even general users, not IT specialists, to completely wipe their computer themselves. After wiping the computers, businesses can freely dispose of, reuse, or resell them without having to worry about data leakage. Not many vendors provide this feature.
One for all. Secudrive Drive Eraser can also wipe computers piled up in storage without a network connection. It provides USB booting and CLI (Command Line Interface) mode to erase Windows, Linux, Mac in various situations. USB flash drives, external hard drives, and SSD (Solid State Drive) connected to the PC can be wiped as well. For wiping SSDs, it supports the ‘Secure Erasure’ function to protect the life of SSDs. We provide this feature as a default.
High-speed erasure operation. You can erase multiple PCs at the same time: You insert the USB flash drive into the target PC to run the erase program. After starting the program, you can unplug it from the PC and plug it into another PC to perform another erasing operation. Once you have set up your company’s standard erase operation for the first time, you will be able to do it without any additional setup. Also, if multiple drives are connected to one PC, they can be wiped in parallel to maximize the erase speed.
Convenient add-ons. Before erasing, it shows estimated operation time according to the selected drive and algorithm. It provides a %-type S.M.A.R.T. index to check if the drive can be reused and a hexadecimal view to verify the operation.
Logs and Reports. Finally, once the erase operation is completed, the log is saved to USB and managed collectively. It is possible to trace the operation history according to each operator. Secudrive Drive Eraser also provides tamper-proof reports on computer information, drive information, and erase operation information. You can export reports as HTML, CSV, or pdf files to integrate with enterprise asset management systems and prepare for post-audits.
One of the biggest cyber security vendors in South Korea, Secudrive is participating in GISEC 2019 from April 1 to 3 in Dubai, UAE. Secudrive once again will be teaming up with RAS Infotech, its biggest partner and cyber security marketplace in the MENA region. GISEC 2019 will be Secudrive’s first international appearance this year, kicking off its series of participation in global cyber security events. Secudrive is visiting Dubai for the sixth time—previous five have been to GITEX Technology Week. This is Secudrive’s first time participating in GISEC, an event that is more oriented to cyber security. Ras Infotech and Secudrive are looking forward to meeting many professionals and executives from diverse industries at GISEC 2019.
Secudrive and Ras Infotech will promote Secudrive’s mainstay solutions for File Server Security with DRM and USB Drive Security & Remote Management. These two solutions have been received positively by various customers in the MENA region. Visitors will be able to learn more about them with live demo and thorough explanations provided by experts from Secudrive and Ras Infotech,
Secudrive joins RAS Infotech at the stand A10, located at Hall 8 of Dubai World Trade Centre. All visitors are welcome to experience Secudrive solutions first hand with live demo by Secudrive experts. Moreover, Secudrive sales team will also be present to discuss more about customers’ needs and requirements, and how Ras Infotech and Secudrive can help to establish solid data security architecture throughout the data life cycle.
HIPAA compliance to protect patient health information (PHI) on physical or electronic media is essential for healthcare organizations. Failing to comply with HIPAA threatens organizations’ financials due to potentially heavy fines—ranging from $100,000 to $16,000,000 in total fine per entity, depending on its nature and gravity—and the reputation due to broken trust of patients who feel that their information may be in danger.
Failure to comply with HIPAA can be classified as typical data breach incidents since it involves confidential data being exposed accidentally or maliciously by internal or external factors. However, HIPAA violations show distinct characteristic when discussing their causes: insider breaches are a major problem in healthcare, yet many insider breaches go undetected. According to Protected Health Information Data Breach Report by Verizon, 58% of incidents involved insiders—healthcare is the only industry in which internal actors are the biggest threat to an organization.
Insiders in healthcare can be labeled as individuals with authorization to access healthcare resources that include electronic medical records, networks, email accounts, or documents containing PHI. Unfortunately, some healthcare insiders are known to be unaware of the HIPAA rules and the repercussions for breaching the rules. A healthcare survey by Veriphyr, HIPAA compliance solution developer, found that 35% of healthcare “insiders” had snooped into medical records of fellow employees, and 27% had accessed the medical records of family and friends. Here are some of the eye-opening, insider-involved HIPAA violation that caused organizations considerable damage.
These cases show that HIPAA violations caused by insiders happen without the organizations suspecting, under their noses. In a review of 306 data breaches in healthcare, shown to be caused by insiders, 48% were financially motivated, and 31% were motivated by fun or curiosity, according to the Verizon report. Interestingly, another 10% were motivated by convenience. When insiders do something that will make it easier for them to get their work done, it also carries a possibility of putting confidential ePHI at risk.
To prevent these insider-caused violations, organizations follow the three safeguards—administrative, physical, and technological—of the HIPAA Security Rule. Among the three, technological safeguards are considered to be most difficult, thus making organizations focus on the administrative and physical safeguards instead for these reasons below.
Common administrative and physical safeguards include organizations conducting thorough background checks when hiring new staff or contractors, holding periodic training programs to educate their employees about HIPAA and to instruct them to report suspicious activities, or limiting physical access to data points (PCs, mobile devices, medical equipment, and more).
However, there are instances for which these two safeguards cannot fully prepare—employees forgetting the rules, human mistakes, outside influences, and more. Therefore, organizations must look to technological safeguards and implement appropriate measures that will be added to aforementioned administrative and physical safeguards. Identifying the right measures is not easy for all organizations, especially for the smaller ones. Then what are the appropriate measures that will help healthcare organizations of all sizes prevent insider-caused HIPAA violations?
Insider-caused HIPAA violations are a clear and present danger for healthcare organizations, and the common approach to tackle such danger have been only about educating the employees or practicing policies through legal documents. However, when insiders access or use ePHI, their actions are unpredictable and even worse, wrongdoings may not go undetected, under the nose of the organizations. Therefore, it is highly recommended that technological measures, which will actually ‘stop’ insiders from causing HIPAA violations, are enforced.
With so many data security solutions available in the market, organizations can find it hard to implement technological measures that fit their needs and requirements. With the five appropriate measures listed above, organizations can set HIPAA-compliant data security architecture that can respond to insider threats that may be undetectable and unpredictable.
The Health Insurance Portability and Accountability Act, or HIPAA, is a legislation which provides security provisions and data privacy, to keep patients’ medical information safe. It came into effect in 1996, but 2005 was when the notion of electronic patient health information, or ePHI, and the protection thereof was introduced. In 2005, HIPPA security rules were laid down in the form of three security safeguards – administrative, physical, and technical – which must be observed for HIPAA compliance. With the data volume and monetary value of ePHI growing exponentially, and cybersecurity issues looming large on a global scale, understanding these safeguards has become mandatory for all companies in medical and healthcare industries.
U.S. Department of Health and Human Services defines the Security Rule as “national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity.”
As medical and healthcare industries – just as any other industries – go electronic in handling PHI for higher efficiency and productivity, the security risks involving the ePHI grow multiply. Therefore, HIPAA Security Rule was imposed as an extension to the Privacy Rule of the equivalent legislation, stating that all ePHI must be properly secured from unauthrozied access, whether the data is at rest or in motion. Furthermore, the fundamentals of Security Rule are based on the flexibility, scalability, and technology neutrality to encourage as many companies as possible to improve ePHI protection against various threats from inside and out. Thus the companies are allowed the adequate time to identify the needs and to adopt new technologiesfor the betterment of patient care and the safety of ePHI. To comply with the HIPAA Security Rule, companies are required to implement the three distinct, yet closely related types of safeguards that may sound ambiguous at first: administrative, physical, and technical.
“…administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.”
The administrative safeguards cover over half of the HIPAA security requirements, focusing on the execution of security practices for the protection of ePHI. The administrative safeguards implement policies that prevent, detect, contain, and correct security violations. Moreover, they should be understood as the foundation of the Security Rule, as the companies are better off to tailor their HIPAA security measures by working around these five following safeguards.
By laying down a solid administrative groundwork for ePHI security and HIPAA compliance, companies can establish an organization-wide policies and procedures that dictate data security and the action plan to follow should the unexpected breaches occur.
“…physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”
From physician’s home PC to designated data centers for university hospitals, ePHI resides in various electronic assets and media. Physical safeguards are the implementation standards to physical access to information systems, equipment, and facilities:
These physical safeguards, combined with the administrative and technical safeguards, work to ensure that ePHI are neither tempered on nor leaked through thousands of devices and assets.
“…the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.”
Perhaps the most talked-about of all, the technical safeguards are the final pieces of HIPAA Security Rule. One of the fundamental concepts of the HIPAA Security Rule is technology neutrality, which means that the rule does not require companies to adopt specific technologies. Thus the companies independently identify and satisfy their specific ePHI security needs based on these specific safeguards:
Applied to all ePHI, the technology safeguards help companies to regulate ePHI access, use, and transmission – in other words, technical safeguards aim to protect ePHI at times where it is at most vulnerable state. Not limited to mandatory measures specified by governing authorities, companies can implement their own measures suitable for the companies’ size, industry, ePHI data volume, and etc. With growing concerns for cybersecurity threats, it is no surprise that technical safeguards are extremely crucial for medical and healthcare organizations, as well as cybersecurity companies.
Modern technologies provide efficiency and productivity when handling patient information electronically and that naturally lead to better care for patients; however, it is a double-edged sword. ePHI keeps growing in volume and value, and it attracts interests from not only companies but also cybercriminals. Thus HIPAA Security Rule was enforced to protect sensitive patient information from inherent security risks of the digital world. However, it is no easy task to meet the requirements of safeguards, and noncompliance of HIPAA ranges between $100 and $50,000 per violation. Therefore, companies must make ePHI security as a part of their daily routine and continuously monitor the situation to avoid any legal circumstances.