in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

HIPAA Security: Don't Decrypt Data Before You Destroy It?

HIPAA experts know that there are only two ways to obtain safe harbor for PHI: encrypt it or destroy it.  Seeing how it's hard to work with destroyed data, most opt to use PHI encryption software to protect their patients' sensitive information from unauthorized access.

However, the rules also clearly state that any data that is being thrown out must be destroyed.  This makes sense for paper-based documents and other physical manifestation of information, like x-rays.  It also makes sense for digital information, but the reasoning behind it is not so apparent for encrypted data.  After all, lost or missing data is protected by safe harbor rules if encryption software is used to protect it, indicating that the encrypted information is perfectly safe.  Why must it also be destroyed?

One in a Million: So You're Telling me There's a Chance

The movie Dumb and Dumber has a number of notable quotes and scenes, many of them terrible, but one's always held a special place in my heart: when Jim Carrey's character asks his crush what his chances are, she tells him it's like "one in a million," and Carrey replies, a small smile forming at his lips, "So you're telling me there's a chance."

And that, in a nutshell, is why you're supposed to destroy any data you're going to throw away.  This includes encrypted PHI data because there is always the chance that (a) someone will somehow figure out the password to the encrypted data or (b) someone will run across the encryption key.  The chances of it are remote, of course.  But not impossible.

Destroy Your Data the Right Way

Making it so computerized data becomes inaccessible is both surprisingly hard and easy.  Anyone who's had to deal with dead hard drives knows that computer storage is sensitive to bumps, humidity, electric shocks, magnetic fields, etc.  On the other hand, just because you're unable to use your device doesn't mean that the information is inaccessible.  There are plenty of business built around recovering information, and they're successful (and profitable) for a reason.

Methods for destroying digital data are myriad.  One of the more popular methods is physically destroying it.  For example, you can punch a hole through a hard drive's magnetic platters, or even better, three or more holes through them.  There's the "sledgehammer" approach to it, which doesn't require an explanation, I think.  You can also melt it – the internet is surprisingly full of raconteurs who've used thermite to do so.

There are also non-physical methods, like degaussing the data (i.e., running storage media through a gigantic magnet) or copying junk data to it.

Here's a tip: no matter what approach you take, destroy you storage device while it's encrypted.  Why?  Well, for starters, you can think of it as insurance.  In the event that something goes awry, you'll have the encryption to as a security backup (which is win-win if you are a HIPAA covered entity).

For example, what if you outsource your data destruction and the company does a poor job?  Or what if one of their employees decides he'll pass the data for a price, like in this story?
Related Articles and Sites:
http://www.nbcdfw.com/news/local/Employee-of-Document-Shredding-Company-Eyed-in-ID-Theft-Ring-252992761.html

 

 
<Previous Next>

Cost of a Data Breach: MCCCD Data Breach Could Cost Up To $17.1 Million

Full Disk Encryption Issue: Was That Stolen Laptop Computer Really Stolen For The Hardware?

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.