Data Destruction

HIPAA (Health Insurance Portability and Accountability Act) and HITECH act (Health Information Technology for Economic and Clinical Health) compliance are taken very seriously in the healthcare industry. This is rightfully so; the internet is not a safe place for private information. However, policies surrounding HIPPA and HITECH do not start and stop with information that travels through the internet. Information is stored on all sorts of devices including computers, phones, and possibly even fax machines and printers.

In most cases hitting the delete button gives people a false sense of security that information has been destroyed. Windows and a lot of other operating systems simply tell the hard drive it is safe for the information to be written over. Hard drives are physical disks that have binary data stored through magnetization.

Operating systems like KALI Linux do not care about the permissions set by windows. In most cases it is possible to simply boot to KALI Linux loaded onto a thumb drive to view files on the computer. This operating system even has built in tools to recover files that have been deleted and not yet written over. The worst part is this software is entirely free and relatively user friendly.

There are ways you can avoid data being recovered by people it is not intended for. You can make sure information is encrypted at rest. Using a computer with a TPM (Trusted Platform Module) and encryption makes all the information on a hard drive much more difficult to access. This is a best practice for all computers containing PHI (Protected health information), especially for laptops and devices that have the potential to be lost or stolen.

HIPAA/HITECH, Sarbanes-Oxley Act, Gramm-Leach-Bliley Act, FACTA Disposal Rule, Bank Secrecy Act, Patriot Act of 2002, Identity Theft and Assumption Deterrence Act, US Safe Harbor Provisions, FDA Security Regulations, PCI Data Security Standard, among others legally obligate you to ensure old information is removed from electronic devices before disposing of them. Companies such as Memory for Memory  who recycle old computers have strict guidelines in place to ensure no information falls into the wrong hands. I you do not want to trust a company with your potentially sensitive information the FTC has a very informative article you can read here.

By far the easiest and most secure way to make sure no Protected Health Information can be accessed is to physically destroy the part of the device that stores the information. At integrity Billing our IT company uses a PureLev device to destroy all hard drives before the rest of the computer is sent to Memory for Memory for the computer to be recycled. A fancy hard drive crusher makes the job easier, but a hammer will do at home.