Demonstration: wiping hard drives is not sufficient to secure PHI

Watch this video. The hard drives belonged to Bayou City Medical Center and over 100,000 files with patient information were recovered containing names, Social Security Numbers, dates of birth, and much more… after the drive had reportedly been wiped and reformatted.

I do not know if this breach was ever in the media or reported to HHS.  Does any reader know?

 

About the author: Dissent

5 comments to “Demonstration: wiping hard drives is not sufficient to secure PHI”

You can leave a reply or Trackback this post.
  1. Anonymous - July 13, 2011

    The video was a piece of self-serving tripe. Any idiot knows that hitting “delete” doesn’t destroy a file. Or at least they would if they thought for a minute about how you can recover a “deleted” file from the “trash” folder in seconds.

    But, clearly, the hospital did not follow recommended procedures for data destruction, as specified in the Federal breach notification law.

    • Anonymous - July 13, 2011

      This wasn’t just a “delete” situation or I wouldn’t have posted it – because I agree with you that most people do know by now that deleting files isn’t adequate. But if you listen/watch the segment again, they say that the drive had been *wiped and reformatted* by the hospital but was still recoverable. I thought that was worth posting.

      Either way, we agree that the data destruction was inadequate.

      • Anonymous - July 13, 2011

        Well…”wiped” can mean pretty much anything when it comes to deleting data. It can mean that someone “deleted files from the ‘trash’ folder” (leading to the results in the video) or that information was written over (which would not lead to the results in the video, at least not to that extent). Based on the results we see above, I’ll bet that “wiped” in this case refers to the former.

        “Formatting” does *not* delete data. It creates a new file system for the rest of the computer’s disk drive. Any information that was on that computer prior to the formatting will remain intact for the most part. If you will, it’s like taking a file cabinet and rearranging the folders because that’s how the new secretary likes it: the secretary can now efficiently find stuff but the old data is still there.

        (The analogy breaks down because, in a newly formatted computer, finding the old files requires special software but you get the idea.)

        The only accepted method for truly eviscerating digital data is to write over it (free software exists and is available on the internet), encryption (which pretty much amounts to writing over it, if you decided to lose the key), and destroying the hard disk.

        Under HIPAA, the last option is the only option when it comes to retiring old computer equipment, as far as I know. On a practical level, rewrites and encryption should also be acceptable, but you can’t argue with total destruction when it comes to absolute data safety.

        • Anonymous - July 13, 2011

          Thanks for that explanation.

          Personally, I use the sledgehammer approach on old drives. My only regret is that I didn’t know about printer/copier drives years ago when I got rid of one copier. In the future, they get the sledgehammer treatment, too.

        • Anonymous - July 13, 2011

          Oops. Just watched the video again, and caught where they said that “wiping software is not enough…”

          That’s an interesting statement to make. I guess it’s a matter of which software you used to wipe the disk (not all are created the same), but the fundamental question is: how do they know data overwriting software was used in this case? Did they call up the Bayou Medical Center and get an affidavit?

Comments are closed.