Security Hero Rotating Header Image

Warranty void if seal shredded?, (Fri, May 15th)

Warranty void if seal shredded?, (Fri, May 15th)

Fellow ISC handler Patrick Nolan commented earlier on the changes to HIPAA requirements that the recent HITECH act brings to hospitals and health care providers in the U.S. The portion that I want to dive into with a bit more detail is

Electronic media [must be] cleared, purged, or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization such that [sensitive information cannot] be retrieved.
NIST 800-88 is pretty succinct and explicit in its demands on how media and harddisks are to be purged or destroyed. Purging refers to making the contents unreadable by degaussing the disk or using the secure erase command in the drive’s firmware. Destroying in the words of NIST includes Disintegration, Pulverization, Melting, and Incineration.
So far, so good. But there’s a catch. Let’s assume that you have a hard drive which contains sensitive data. It doesn’t really matter if you are a bank or a hospital or a cutting-edge research shop: The data on the disk is vital. And the disk just snuffs it one day and refuses to spin. Let’s further assume that – not uncommon for servers – the disk is still under warranty, and if you ship it back to your vendor, you’ll get it replaced for free.
Now what? According to NIST 800-88, a disk with sensitive content which leaves your organization’s control has to be destroyed. I strongly suspect though that shipping a baggie of metal confetti back to your vendor could slightly impair your warranty rights. Shipping the disk as-is, on the other hand, exposes your data to all sorts of nightmares, not the least of which being your vendor getting it back to spin and reselling it on eBay as used, in working condition.
How do you deal with this problem? Do you shred all the disks that leave your shop, forgoing the warranty? Do you degauss the disks before returning, hoping that the degausser actually does its job and the vendor’s check doesn’t mind? Did you carefully vet your vendor’s media handling and have full traceability for all disks returned? Or do you simply take the plunge and hope that your old disk vanishes in the sea of disks offered for resale?
Let us know, either via our contact page, or by participating in the poll to the right!

URL: http://isc.sans.org/diary.php?storyid=6394&rss

Leave a Reply

Powered by WP Hashcash

Spam Protection by WP-SpamFree

Bad Behavior has blocked 444 access attempts in the last 7 days.