Categories
Blog Data Erasure

Data Destruction for HIPAA compliance

The HIPAA (The Health Insurance Portability and Accountability Act) strictly regulates covered entities not to disclose PHI (Protected Health Information) to the unauthorized public, in the process of the creation, storage, transmission of PHI.

PHI includes almost all information on a patient:

1)     any identifying information about a patient as an individual, including his or her name, phone number, email address, social number, health insurance subscriber number, credit card information, photographs, etc.

2)     a patient’s medical information, including medical conditions, prescriptions, x-ray image, blood test report, etc.

Noncompliance may result in fines that range between $100 and $50,000 per violation “of the same provision” per the calendar year. Many OCR (The Office of Civil Rights) HIPAA settlements have resulted in fines of over $1 million. The largest settlement as of September 2016 was for $5.5 million, levied against Advocate Health Care, stemming from several breaches that affected a total of 4 million individuals.

Many cite ‘Improper Disposal of PHI’ as one of the top 10 most common HIPAA violations.

Employees inadvertently throw away documents in the trash, or dispose of USB drives, external hard drives, or computers, causing frequent PHI leaks.

PHI printed on paper can be easily disposed of by shredding in a document shredder. However, complete deleting ePHI (electronic Protected Health Information), PHI stored in a computer, is not simple: Even if you run ‘delete’ or ‘format’ command to erase the information on Windows, the information can be easily recovered.  Besides, the storage device stores the most information just before disposal, so if you dispose of the device without data destruction, you will encounter a tremendous amount of information leakage accident.

Standard §164.310(d)(1) Device and Media Controls, in HHS HIPAA Security Series 3: Security Standards – Physical Safeguards, regulates that covered entity must “implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored,” and “implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use.” It also gives three methods of ePHI data destruction, as examples, for the data to be unusable and/or inaccessible: erasure software, degaussing, and physical destruction.

Secudrive Drive Eraser can completely erase data stored on computer hard drives, USB flash drives, external hard drives, and SSDs, as one of the erasure software solutions. The solution supports about 23 international standard algorithms. The software comes in a USB flash drive, plugging the USB flash drive into the computer and clicking the executable file makes the data deletion process very easy. It’s easy enough for non-IT professionals to run it on Windows. The results of data wiping are saved back to USB in the form of logs and reports. You can use tamper-proof reports as evidence of HIPAA compliance.

Data destruction service providers often perform degaussing and physical destruction methods because of physical tasks such as removing the hard disk from the computer. If you outsource the service, there is a risk of loss or theft during shipping or storage. It cost relatively expensive as well. Secudrive Drive Eraser could be one of the best options due to cost-effectiveness as well as security.

Categories
Blog Data Erasure

Disk Wiping Vs. Physical Destruction

Data wiping with Secudrive Drive Eraser makes it logically unrecoverable by repeatedly overwriting zeros, ones, or random numbers on the disk where the original data resided. It uses internationally recognized standard data erasure algorithms so that it can be recognized as completely deleted, just like physical destruction. Therefore, it allows you to comply with various data protection regulations with that companies and organizations must comply.

Data wiping with Secudrive Drive Eraser is 1) more cost-effective, 2) more secure, and 3) more convenient for management than physical destruction.

Secudrive Drive Eraser

Physical Destruction

Data

Unrecoverable

Unrecoverable

Device

Reusable, Resellable

Trash

Record

Temper-Proof Report

Photo/Video

Workplace*

On User’s Desks

Warehouse

Where to erase

Move After Erase

Move and Destruction

Data Breach Risk

Minimum

Relatively High During 
Moving/Storage

Integrated with
IT Asset Management

Easy Integration with
logs

None

  • Secudrive Drive Eraser can wipe drives separately stored in a warehouse, too. However, Secudrive recommends wiping before moving machines to a warehouse to improve security.

More cost-effective: wiped drives can be resold, reused, or donated.

You can resell, reuse, or donate wiped hard drives, while physical destruction makes the hard drive industrial waste. It is also common that the price of erasure software is generally significantly lower than the cost of physical destruction services. Besides, It is eco-friendly because it does not cause industrial waste, including toxic substances.

More secure: fewer handlers, fewer locations, and tamper-proof reports enhance security

Companies use data destruction service providers for physical destruction. IT department collects disposed computers that still have the unwiped date and store them in an inhouse warehouse or somewhere. Then a data destruction service provider moves the machines into a workplace with physical destruction equipment like a shredder. Then workers at data destruction service companies punch or shred the disks or computers. Since physical destruction is cumbersome to be done in the company’s office, the data is inevitably destroyed after carrying by various hands through various places. Possibility of theft or loss, in other words, data leakage risk, increases.

Recently, more and more companies have introduced data wiping instead of physical destruction for data destruction. Secudrive Drive Eraser is easy enough for the companies to be done in the office. Even general users can wipe their own disks by themselves on their desks, or IT personnel can wipe computers gathered to an in-house IT department. Security vulnerabilities are much reduced by minimizing the number of transfers, storage, and related parties.

Finally, it is convenient to record data destruction operations. It is essential to record data destruction to prepare for post audits under various security regulations. Pictures or videos are the only way to record physical destruction work. There is also the possibility of forgery and alteration. However, the wiping software automatically collects information on computer, disk, and erasure operation. It also creates tamper-proof reports.

Integrated management

IT managers can manage disk wiping operations remotely with the logs and reports. The logs and reports can also be easily integrated with the company’s asset management solution.