Data wiping and HIPAA/HITCH
-
@technobabble said:
I have a small medical billing office that needs to have drives wiped as the PC's and servers are no longer needed by the company. As usual, they would like to do whatever is the cheapest today. Any ideas or input would be appreciated.
1.) I have one failed drive which I presume would have to be degaussed or shredded since it is not functioning.
2.) I have a few drives in PC's that can be wiped but customer asked about certification of service. I haven't see that yet, have you?
3.) How do you wipe servers when they are setup in a RAID?
Thanks!
cheapest would be drill press.
-
I would just have all the drives shredded.
Here in the Midwest there is paper shredding company that a lot of my clients use that will also shred drives. I would assume they can certify it.
-
Some hardware RAID cards have drive wiping built into the firmware. But not many.
-
All the old computers being scrapped at my last office, the drives were pulled. There were some failed drives,... so a physical disk wipe wasn't reliable.
I pulled them, and said once it was practical, they should be physically shredded.
Personally I would like to mix up some thermite, but I don't know the legality of it, and haven't looked in to it.
-
We always did DOD wipes on everything then sometimes physically destroyed.
-
Always break raids before wipeing.
-
So the consensus is to shred drives. She was hoping to sell the severs with the drives in them.
-
I found a company that will do 100% destruction (shredding) and provide a Certificate of Destruction. Waiting for a call back to find out the cost of this service.
-
@technobabble said:
So the consensus is to shred drives. She was hoping to sell the severs with the drives in them.
Servers I always would have physically destroyed. Desktops depending on use could just get a DOD wipe.
-
Um...DBAN anyone?
-
I don't know what the cost is, but Obliterase provides a service like this with a certification.
-
We hand the drives to the kids in the metals workshop to drill through.
They think it's fun, we need the drives gone. It's a win-win situation.
-
@Kelly said:
I don't know what the cost is, but Obliterase provides a service like this with a certification.
I was thinking of them too. They were giving away a Kegerator (however you spell it, as I'm sure @dengelhardt could correct me) at Spiceworld last year. LOL
-
-
@Kelly said:
I don't know what the cost is, but Obliterase provides a service like this with a certification.
They do. Nice people. Spent some time talking to them last year at SpiceWorld.
-
@Obliterase summoning.....
-
Full disclosure: they're paying for me to go to Spiceworld London due to me winning a drawing. I'm not getting anything else from them for mentioning their name here
-
DBAN all the drives. (break raid array, dban one at a time.) If it was for my personal stuff or something not going to get you in trouble I'd suggest breaking the raid, making OBR10, dd /urandom the whole thing. Much faster, much less secure.
Take drives with you to shooting range.
Turn scraps in at metal recycler.
-
@scottalanmiller so you think shredding the hard drive is over kill?
-
@technobabble said:
@scottalanmiller so you think shredding the hard drive is over kill?
I generally think nearly everything that companies do like this is overkill. HIPAA does not require anything that drastic and common security practice does not either. IF the drive can do DBAN or Obliterase, I think that that is plenty and far better for the bottom line (resell drives) and the environment (not throwing away good technology when you don't have to.)
Your risk is not people randomly looking at the drives, you protect against that with software and selling through a third party. You worry about targeted attacks. Don't set yourself up for those and then anything like shredding is way over the top.
Security is all about making it unreasonable to get the data, once you pass that threshold there is not much value to additional security.
