Imagine holding a letter in your hands that says that a hard drive containing your private, protected health information has gone missing. INTEGRIS Baptist Medical Center, Inc., sent such a letter in September 2020. On October 17, 2019 they learned that a portable hard drive containing patient information went missing during an on-campus office move. Information on the hard drive included patient names, social security numbers, and clinical information regarding care. Breaches like this are not only costly to the organization but are also subject to posting on the HIPAA Wall of Shame, a public listing of healthcare breaches.
What is the HIPAA Wall of Shame?
The U.S. Department of Health and Human Services Office for Civil Rights maintains the Wall of Shame. HIPAA (the Health Insurance Portability and Accountability Act) was enacted in 1996 to protect the health information of patients in the United States. However, despite the fact that the HIPAA protection is 25 years old (as of 2021) it is still constantly being violated, as evidenced by the frequent, nearly daily, updates to the Wall of Shame.
Operating rooms are filled with equipment that stores data. Every machine helping to keep a patient alive likely has a magnetic hard drive or SSD drive inside recording and storing patient PHI. To stay off the Wall of Shame, providers need to establish an end-to-end security solution which deters front-end threats such as hacking, and also protects data on decommissioned storage media such as hard drives and solid-state drives.
HIPAA section 164.310 on “Physical safeguards” requires that healthcare organizations “implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.”
How should I dispose of PHI to avoid the HIPAA Wall of Shame?
According to the U.S. Department of Health & Human Services proper disposal methods of PHI on electronic media includes:
What is clearing for HIPAA compliance?
Clearing for HIPAA compliance uses software to overwrite media with non-sensitive data, usually a series of “0”s and “1”s. It takes between 8 to 14 hours of continuous writing to overwrite a hard drive that is properly functioning. Plus, it usually takes multiple passes – three is recommended — to overwrite the drive, but operators often take only one pass, leaving the data vulnerable to a breach.
Overwriting is a method that allows the drive to be re-used. However, re-use of an overwritten drive is only advisable if the drive is being reused within the same organization and the media will not be leaving the organization’s control. The reason for this restriction is that overwriting is not secure. The drive must be 100% functioning for all of the data to be overwritten. If the drive has bad sectors or is non-functioning, the data cannot be overwritten. There is no way to identify non-working hard drive sectors and the overwriting process’s success or failure. Hard drives that are older or worn out simply fail, leaving unprotected data on the drive.
What is purging for HIPAA Compliance?
Purging for HIPAA compliance is degaussing, exposing hard drives and tape to a strong magnetic field to completely erase the data. Degaussing sanitizes the media of all data even if the drive is non-functioning or has bad sectors. To operate a degausser, no special training is required. Simply place the media in the degaussing chamber and close the drawer. In seconds, a strong magnetic field encompasses the media, eliminating the data. By degaussing in-house, an organization maintains complete control of media until the data has been properly sanitized. Degaussing has proven to be the most thorough, time-efficient, and cost-effective process for in-house sanitizing of hard drives and tape media.
What is destroying for HIPAA compliance?
Destroying media for HIPAA compliance involves physically deforming the media and its internal components. Common physical destruction methods are crushing and shredding. However, physically destroying hard drives alone is not considered a secure method of destruction. It is important to know that even a 2 mm hard drive particle contains retrievable data because physical destruction only damages the media, it does not destroy the data. Software available on the internet and sophisticated microscopes called MFMs (Magnetic Force Microscopes) can still detect and recover data on shredded hard drive platters. Data centers that store confidential and Top Secret data must treat this as a viable threat and protect against it. For this reason, all hard drives should first be degaussed of all data before they are physically destroyed.
What are my HIPAA Compliance takeaways?
- The healthcare industry collects massive amounts of patient data, which is protected by HIPAA.
- When patient data in the form of a hard drive goes missing, patients and organizations are subject to a damaging breach.
- The best way to secure a decommissioned hard drive is to degauss it.
- Degaussers remove the magnetic field of a drive completely sanitizing the media of all data, ensuring the data is forensically unrecoverable.
- Degaussing is not only effective, it’s fast, clean, and requires no specialized training.
Look at Garner Products degaussers today.