When the time comes to throw away, give away, sell or otherwise dispose of a computer, you should be sure to permanently erase the data on it. Otherwise, the new owner – or someone who has fished it out of the trash (yes, this actually happens) – will be able to read the PHI, as well as any financial, business or personal data, that was on the hard drive when you stopped using it. Often this will also include data you may have thought was deleted but is actually still on the hard drive. Pressing “delete” doesn’t actually erase a file or program permanently and even a moderately skilled hacker will be able to retrieve it. This begs the question: how do you permanently delete the data you don’t want lingering on the computer once you are ready to dispose of it?
The NIST publication related to data disposal is SP 800-88 rev. 1.37 It details three levels of “media sanitization” – clear, purge and destroy. Data is considered cleared when it’s not readily accessible on the computer or device in question, though someone with digital forensic tools (like that moderately skilled hacker noted above) can still get at it. Purging involves removal of the data to the extent it is “infeasible to recover” using state of the art forensic lab methods and destroying is pretty much what it sounds like. NIST SP 800-88 references a number of destructive methods relating to computer data. Here are a few common ones:
A typical computer hard drive stores electronic information magnetically. Magnetically stored data can be genuinely deleted via overwriting, demagnetization or physical destruction.
Overwriting refers to storing new data in same storage space as – and effectively on top of – the older data being deleted. A helpful analogy could be thinking of the older data like a footprint on a muddy field. If someone steps on it, the new footprint will effectively “overwrite” the old one. A number of programs exist to deliberately overwrite the data on a hard drive with random 1s and 0s (gibberish, in effect), but it’s a time consuming process – as the data is generally overwritten several times – and it might not make the data completely inaccessible. A hacker skilled in computer forensics may still be able to recover some of the data (assuming it’s worth the time and expense to do so). An overwritten drive can be reused.
Demagnetization (often referred to as “degaussing”) involves using a strong magnet to essentially “pull” all of the 1s and 0s in the binary code on the drive in the same direction, making them all 1s or 0s and rendering the underlying data all but unreadable. This is done with a machine called a degausser. Commercial grade degaussers are quite expensive, and their magnets are strong enough to both virtually destroy the data and render the hard drives themselves unusable afterwards. Keep in mind demagnetization only works on magnetic storage devices and magnetic tapes.
Physical destruction is just what it sounds like: the hard drive is dropped into a metal shredder and completely pulverized. Companies that specialize in this sort of destruction will often take the subject drives, document the subsequent chain of custody and may even film them being dropped into the metal shredder. Such an abundance of caution actually isn’t a bad idea. A major hospital in the United Kingdom asked a vendor it had worked with before to take care of disposing approximately a thousand old hard drives, only to have about 250 of them later show up for sale on eBay. The hospital was then hit with a record fine roughly equivalent to half a million dollars.38 Also keep in mind that mere damage is not enough to guarantee the data on a magnetic drive cannot be retrieved later. Computer forensic experts were even able to recover a significant amount of information from damaged drives found in the wreckage of the space shuttle Columbia.39
As outlined above, each of the methods has its advantages and disadvantages. Overwriting allows the drive to be used again, while physical destruction is the most certain way to be sure the data is permanently destroyed. As an extra precaution, some organizations protect their sensitive data by first demagnetizing and then physically destroying any type of magnetic storage once it’s no longer in use.