[REQUEST] Medical/Legal-based data erase/destruction

[Archon Prime]

I do my own secure formatting of drives for regular clients. But I had a call today from a doctor's office that wanted to know if I was able to do that. But I guess their main medical corp needs something in writing from the IT provider saying that it's guaranteed, etc. I can't provide that as far as I'm aware that would leave me liable for anything like that. I mean, I know it's erased but I don't want to take it that extra step to be 110% guarantee that this data is not going to get compromised. I'm too small to have to deal with the legal stuff.

I zero out the data 6 times no drives that are less than 500GB and 2 times if it's 1TB+.

Does anyone deal with this sort of thing for Medical/Legal companies that has a little more information on this sort of process?

Also if anyone knows of a company in Canada/Ontario that deals with this stuff, It would be appreciated so I can refer them there.

 

[CaliZ]

Iron Mountain www.ironmountain.ca I haven't used them before but know they follow ISO for data destruction.

 

[YeOldeStonecat]

Several years ago we purchased a device called the CRU Weibetech Drive Erazer Ultra
https://www.cru-inc.com/products/wiebetech/wiebetech_drive_erazer_ultra/

Actually came across that product a couple of years ago from another forum member here...I think it was TechLady.?
Anyways, it has about 12 or 15 different "wipe" techniques you can select, and you get a serial label printer for it, and it will print the labels out for your "Certificate of Destruction". We keep a copy, and I give the original to the client.

It's quite fast too.

 

[DataMedics]

The reality is, had the doctor actually followed HIPAA (and they never do) the patient information should all be encrypted and password only known by authorized personnel as outlined in their HIPAA program.

The only way they could hold you liable for those patient records is if you enter into a HIPAA Business Associate Agreement with them. Without that piece of paper signed by you, the covered entity (the medical practice) is the one who would be held responsible for the breach because it occurred the moment they handed you non-encrypted data w/o that signed document.

I have yet to ever have a single medical professional serve me with a Business Associate Agreement to sign. We are always drafting it ourselves and handing it to them to sign along with chain of custody and other necessary paperwork.

A single thorough zero-fill is enough to guarantee data is gone forever. Multi-pass is a waste of electricity beyond that.

 

[Archon Prime]

Awesome! Thanks for the info guys. and @DataMedics that's great to know. thanks a lot.

 

[Markverhyden]

A single thorough zero-fill is enough to guarantee data is gone forever. Multi-pass is a waste of electricity beyond that.

Yes, the multi-pass is a hold over from many years ago when the actual space occupied by a single bit was relatively large. They could then use a SEM to scan the surface and recover the original value. The original paper form Peter Gutman is what usually gets referenced. He updated the paper with an epilogue many years later. For all intents and purposes recovering data from a modern drive that has had one pass wipe is unrecoverable. And it it's encrypted and you wipe the header it's the same thing. Even if it's encrypted I just do a single pass, random, with the Drive Erazer that @YeOldeStonecat mentioned.

 

[skdmaster]

Get one of these http://purelev.com/ and document the serial number of the drive when received with photo of aftermath. We also have a drive eraser mentioned above - works great on a functional drive - crusher for dead drives.

 

[DataMedics]

Get one of these http://purelev.com/ and document the serial number of the drive when received with photo of aftermath. We also have a drive eraser mentioned above - works great on a functional drive - crusher for dead drives.

Why be so wasteful. You can send us up to 10 drives per week for free and we'll even provide certificates that they've been sanitized. We only charge if it's a whole lot of drives because then it starts to interfere with our data recovery work.

We digitally wipe them, if possible, or we remove and degauss the platters. We then use the parts to save our customers money on data recovery projects.

 

[skdmaster]

We are just being responsible to our clients - when it comes to medical/legal/PCI I am entrusted with those drives. If I was to send them out to someone and they got lost in transit that is a breach. You would have to be another person in the BAA chain as you are in possession of data from my client. Just too much risk there and exposure. A few dollars per drive doesn't outweigh a $10,000+ DHSS fine just something I don't wanna mess around with.

 

[Aranarth]

New hard drives that are internally encrypted and if you use sata secure erase its basicaly the same thing, it's wiped.
new ssd's that are encrypted are also not recoverable once secure erase has been performed the individual chips are just random bits.
I'd be 100% comfortable declaring the drive wiped and hipaa compliant.

Now older drives and ssd's (sata 1/2, and ide) i'd probably use a wiper like dban. with 6 passes or the like.

 

[nlinecomputers]

A single thorough zero-fill is enough to guarantee data is gone forever. Multi-pass is a waste of electricity beyond that.

In truth THIS^^^

Also, the ONLY guaranteed method of data destruction is to physically destroy the drives. You can't get data back from a drive that goes into a metal shredder. If they are that paranoid that they will not take a zero out drive then offer to grind up the drives as the only backup.

 

[Your PCMD]

I use this. Got it on sale for $150 last September.

My 12 gauge down at the farm erases SSD's with ease.