I love disposing of problems. The other day, I was presented with a disposal problem.
As I was walking down the hall, I noticed a lot of old computer equipment sitting next to a pile of trash. My first thought was that some of the data that my state agency is charged with protecting under various statutes was about to become available to anyone who happened to pick through our trash.
A closer inspection revealed that there were no computer disks or other media in the pile. No data was about to leak out through our Dumpster. Other things could, though, and that detoured me from data security matters for a while as I pursued the question of proper disposal of hazardous waste.
As it turns out, our IT employees didn't really know what to do with old computer equipment, so they put it out for the maintenance people to pick up. The people in charge of the management of our building were clueless about how to handle hazardous materials. They told me our old equipment usually ended up in the parking lot waste bin or was taken home by members of the cleaning staff who thought they could refurbish it for their own use or resale.
That wasn't acceptable. I directed a member of my staff to discover what methods were available in our region for the proper disposal of computer equipment. He found out that a local computer supply store provided a disposal service in conjunction with Dell. There was only a small fee to cover the cost of boxing up the equipment. Armed with that new information, I wrote a procedure to cover hazmat disposal. Problem solved.
Ah, but what about those cases when we do have to dispose of disks and other media? I started thinking about all those computer, server and storage device disks that are collecting around here. The agency is in the middle of a desktop upgrade project, which means we're retiring hundreds of computers as well as a number of servers that are out of warranty. In the old days, you could call a nonprofit organization that would gladly take your old computers. These days, it's a little more complicated, since we aren't allowed to transfer hard disks that could contain people's personal information to any other party. Not too many organizations want your equipment sans the hard disks.
Meanwhile, the hard disks are stacking up. I was sure we could find a low-cost solution, get the necessary approvals and solve the problem.
Plenty of commercial companies could provide the service we need. I found one called PC Disposal that has a program appropriately named Secure Plus Risk Management Disposal. The company will ship you "secure packing equipment," and then it will pick up your equipment, wipe your hard drives with Department of Defense -standardized methods and dispose of them according to state and federal guidelines. If you want to prep your equipment for resale or donation, it will help you do that. Importantly for us, the service is guaranteed to be HIPAA-compliant.
But here's what caught my eye: The company has a US$1 million service guarantee that says, "If we fail to complete the services listed on your certificate of disposal and your hard drive is discovered with recoverable data still on it, your company will receive a check for $1,000,000." Great marketing.
Still, I had to chuckle because I know that US$1 million in no way would make up for having protected health data end up in the wrong hands. Besides, I realized that we could handle the problem internally without spending a ton of money. The key to data disposal is proper disk sanitization.
I happened to be downloading material from the National Institute of Standards and Technology 's Web site on an unrelated matter when I ran across a publication titled "Guidelines for Media Sanitization" (NIST Special Publication 800-88). A quick glance through the 33-page document showed me that it contained pretty high-level stuff. The guidelines include a decision matrix for determining how to destroy various media and components. For example, data has to be manually deleted from handhelds, then you have to perform a manufacturer's hard reset, and finally you must incinerate, shred and pulverize the unit. That's kind of what we had in mind for our hard disks.
We fantasized about taking the hard disks out into an open field and smashing them with a hammer, setting them on fire and toasting marshmallows over the blaze. It sounds like a good team-building exercise. But we're in the middle of summertime heat, and the local fire department probably wouldn't appreciate our electronics bonfire.
Back to reality. We'll need to write a policy and procedure, as well as acquire the software we'll need for effective data deletion. Sysinternals, a part of Winternals, which was recently acquired by Microsoft, provides a free, DOD-compliant secure-delete program called SDelete that should do the job. After we remove the data, we can incinerate, shred and pulverize the hardware or just donate the drives to a nonprofit organization.
I think the important thing is to realize that data is precious and must be handled properly. But even if we don't recognize that fact, we're all increasingly subject to state and federal statutes that mean we have to take data disposal seriously. We just can't ignore the problem anymore.