Last Updated: 2009-05-15 14:16:14 UTC
by Daniel Wesemann (Version: 2)
Fellow ISC handler Patrick Nolan commented earlier on the changes to HIPAA requirements that the recent HITECH act brings to hospitals and health care providers in the U.S. The portion that I want to dive into with a bit more detail is
"Electronic media [must be] cleared, purged, or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization such that [sensitive information cannot] be retrieved."
NIST 800-88 is pretty succinct and explicit in its demands on how media and harddisks are to be purged or destroyed. "Purging" refers to making the contents unreadable by "degaussing" the disk or using the "secure erase" command in the drive's firmware. "Destroying" in the words of NIST includes "Disintegration, Pulverization, Melting, and Incineration".
So far, so good. But there's a catch. Let's assume that you have a hard drive which contains sensitive data. It doesn't really matter if you are a bank or a hospital or a cutting-edge research shop: The data on the disk is vital. And the disk just snuffs it one day and refuses to spin. Let's further assume that - not uncommon for servers - the disk is still under warranty, and if you ship it back to your vendor, you'll get it replaced for free.
Now what? According to NIST 800-88, a disk with sensitive content which leaves your organization's control has to be destroyed. I strongly suspect though that shipping a baggie of metal confetti back to your vendor could slightly impair your warranty rights. Shipping the disk as-is, on the other hand, exposes your data to all sorts of nightmares, not the least of which being your vendor getting it back to spin and reselling it on eBay as "used, in working condition".
How do you deal with this problem? Do you shred all the disks that leave your shop, forgoing the warranty? Do you degauss the disks before returning, hoping that the degausser actually does its job and the vendor's check doesn't mind? Did you carefully vet your vendor's media handling and have full traceability for all disks returned? Or do you simply take the plunge and hope that your old disk vanishes in the sea of disks offered for resale?
Please let us know by participating in the poll to the right!
Update 1400 UTC: Here's a summary of the responses we received so far. Thanks for all the comments!
The consensus of the responses we received is that saving the cost for a harddrive replacement is never worth the embarrassement, loss of customer confidence and legal mess to be expected when the drive turns up somewhere down the road with the data still intact.
How this is achieved seems to depend on the "muscle" that a firm can bring into negotiations with the vendor. Readers from larger firms and government entities reported that their contract allows them to destroy drives and still get replacement under warranty.
Smaller entities usually just "take the hit", shred the drive, and chalk the replacement down as cost of doing business.
We also received a few responses of readers who use a degausser, and then ship the drive back for warranty replacement. This seems to be a minority though - from the responses we got, most firms don't bother with degaussing, and go for physical destruction in all cases.
Several readers also pointed out that the whole problem starts one step prior .. you need to first find out which of your devices contain disks (multi-functional printers, anyone?) and make sure that your purging/destruction process chosen actually catches them all.
Some comments indicated that full hard disk encryption has made it possible to ship disks around, no problem, but others said that even with encryption, they would not take the risk.