Many Health Insurance Portability and Accountability Act (HIPAA) covered entities have been giving considerable thought to the eradication of electronic protected health information (EPHI) that is no longer needed. As you are probably aware, the HIPAA final security rule requires that covered entities “… implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.� (See section § 164.310(d)(2)(i) of the final security rule for the full text of this requirement.)

But what does this really mean? The HIPAA final security rule does not specify the detailed steps that must be taken to eradicate obsolete EPHI. This means that the HIPAA compliance official needs to consider the available options and then use his or her best judgment in choosing the approach to be followed. This paper explores some of these options and discusses the issues that must be considered when making this decision.

There are basically four approaches to dealing with obsolete EPHI:

1. Delete files that contain EPHI before reusing devices or media.
2. Encrypt all EPHI before it is written to disk.
3. Overwrite system components that once contained EPHI with random patterns of “zeroes” and “ones.”
4. Physically destroy hardware components that once contained EPHI.

Let’s take a closer look at each of these options.

Most HIPAA compliance officials are aware of the problems that are associated with the first approach - but it bears repeating here. Dragging a file or folder icon to the recycle bin (or typing an “erase� command at the command prompt) removes the “file system� entry for a particular file, but does not remove the file itself. What this means is that, even though the EPHI is no longer accessible by navigating the file system (i.e. by using the Windows Explorer or the “dir� command), anyone who has access to any one of a number of “digital forensics� software tools can access the disk data directly. Many such programs are freely available for download via the Internet. (See www.timberlinetechnologies.com/products/forensics.html for a list of these tools.) The original file, which was never actually deleted, is easily read by these sorts of programs.

This situation is made more complicated by the fact that EPHI does not tend to stay in a single file and in a single location. Several processes, such as virtual memory management, actually copy the original EPHI and spread it to many locations throughout the network. In order to comply with the HIPAA security rule, the HIPAA security compliance official has to track down and eradicate not just the original files, but all the various copies of these files as well.

“If you know what it is and where it is you can manage it and destroy it when necessary,� says Rick Dakin, President and co-Founder of Coalfire Systems, Inc., an information security and regulatory compliance consulting firm based in Louisville, CO (see www.coalfiresystems.com). “As data becomes ‘virtual’ and disappears into the ether, however, people have no idea where their EPHI is or how it is stored,� Dakin continues, “Data is ‘real’ to the old IBM mainframers who used to keep their critical data on 3480 tape cartridges in a desk drawer. Having to physically carry the tape into the computer room and tell the operator to watch for a mount message makes it ‘real’ in a sense that it will never be to someone who has not been required to touch the physical media on a routine basis.�

In addition to its original location, EPHI can be found in various “buffer� locations on the hard drive including paging and swap files. “People tend to forget that EPHI can be found on a number of system components – not just in its assigned location on the hard drive,� adds Bob Knowles, CEO of SecureCyber Destruction, a Denver firm that specializes in disposing of obsolete system components (see www.securecyberdestruction.com).

In the quest to eradicate obsolete EPHI, Knowles advises, we must not forget about removable media such as diskettes and tapes; EPROM or “flash� memory; network switches; “store and forward� components such as email servers; and networked printers. A little known hiding place for obsolete information, Knowles adds, is a disk block or track that has been “flagged� due to I/O errors. Anyone with access to the physical drive can easily unflag bad disk areas and read most of the original data that was contained in them.

Most surprising, perhaps, is the revelation that what we normally think of as “volatile� memory – specifically, static random access memory (SRAM) and dynamic random access memory (DRAM) – is not quite as volatile as we once believed. Most of us have been taught that when power is removed from a computer system the “real� memory is erased. Not so, says Peter Gutmann of the University of Auckland Department of Computer Science. “Contrary to conventional wisdom,� Gutmann warns, “‘volatile’ semiconductor memory does not entirely lose its contents when power is removed.� (See http:www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html for the full text of the paper that Dr. Gutmann presented to the Sixth USENIX Security Symposium describing this phenomenon.)

An example of the encryption approach is the use of the encrypting file system (EFS) capability of Microsoft Windows. With a little effort it is possible to designate certain folders as containing encrypted data only. The EFS performs the encryption/decryption operations “on-the-fly� and in a way that is transparent to the user. The digital forensics tools mentioned in the previous section will display this encrypted EPHI, but the information will look like gibberish to anyone who does not have access to the decryption key.

But there are problems with this approach, too. First of all, data that is decrypted on the fly can still be written to page and swap files as part of the system’s normal virtual memory management processes. The information will not be re-encrypted prior to being “paged out.� This means that a digital forensics tool would be able to read the plaintext translation of the EPHI by browsing through the page and/or swap files. Another problem is that such systems typically store the encryption/decryption keys on the hard drive itself. This means that a dedicated hacker could use a tool such as SAMInside to crack the encryption scheme and gain access to the information in unencrypted form.

There is a long tradition of overwriting data in order to obliterate it – particularly among members of the defense and intelligence establishments. There are a number of Department of Defense standards for overwriting data. (See, for example, www.zdelete.com/dod.htm for a summary of the DoD 5220.22-M standard.) However, Gutmann notes that these standards are dated and do not fully address newer magnetic media recording techniques. He also mentions that the information in these standards “may be partially inaccurate in an attempt to fool opposing intelligence agencies … By deliberately understating the requirements for media sanitization in publicly-available guides, intelligence agencies can preserve their information-gathering capabilities while at the same time protecting their own data using classified techniques.�

Gutmann describes the use of advanced techniques, such as magnetic force microscopy (MFM), for recovering magnetically recorded data even after it has been overwritten several times. He warns us against having complete confidence in any media sanitization procedure, concluding, “… it is effectively impossible to sanitize storage locations by simply overwriting them, no matter how many overwrite passes are made or what data patterns are written.�

We are therefore led to the inescapable conclusion that the only way we can ever have complete confidence that we are not inadvertently disclosing EPHI is to physically destroy all physical components that once contained it.

Businesses have understandable concerns about destroying their storage devices. On one hand, destroying rather than recycling obsolete computer equipment means that the covered entity must forgo the resale value or tax write-off benefits of the used equipment. On the other hand, this is usually a very small financial sacrifice compared to the potential losses that could result from an EPHI “leak.�

The surest way to get around the problem of playing “hide and seek� with obsolete EPHI is to have procedures in place for the routine destruction of any system components that may have ever stored EPHI. Bear in mind that removing a disk drive from a used computer and smacking it with a hammer may not be sufficient. The data recovery techniques discussed in Gutmann’s research can be applied to disk drive fragments as well as to operational devices. Given the high recording densities that are used with modern storage systems, even a small piece of a disk drive can contain copious amounts of patient data.

Since your ultimate goal is compliance with the HIPAA security rule, you want to be sure that your documented procedures and records will pass muster in a compliance review. Knowles expresses it this way: “People think that smashing a disk drive with a hammer addresses the problem - but it doesn’t. Information can still be recovered from the disk drive pieces. More to the point, there must be proper documentation that will hold up in a compliance review or in court. The fact that your policies and procedures are being followed must be provable to the proper evidentiary level.�

Since health care providers and insurers are typically not in the business of destroying used equipment, HIPAA security compliance officials should seriously consider outsourcing this job to an experienced secure data disposal service. However, make sure that the service you choose offers complete “chain of custody� documentation from the time of pickup to the time of destruction of the used equipment.

Here are a few things to look for when shopping for such services:

1. As with any business associate, make sure that the service contract includes the mandatory HIPAA privacy and security rule provisions.
2. If the service sells used or refurbished computer equipment, there is a clear conflict of interest between this and the secure data disposal line of business.
3. Obtain the proper assurances from the secure data disposal specialist that nothing collected from your organization will ever end up in a landfill.  It is absolutely essential that the service grind all equipment into a powder or otherwise melt down and recycle all materials.
4. Ensure that the service includes complete “chain of custody” documentation from the time of pickup to the time of destruction of used equipment.

It is generally worth your time to do the proper research and to compare prices, terms and conditions of various service offerings. With any luck, you will be able to establish a satisfactory, long-term relationship with your secure data disposal service. But it will require a measure of patience and effort on your part to do so.

####

About the author:

Harry Smith, CISSP, is a co-founder of PrivaPlan Associates, Inc. and is the primary author of the PrivaPlan HIPAA Privacy and Security Compliance Resource Kit. He is also the founder of Timberline Technologies LLC, a Colorado-based information security consulting firm.

Mr. Smith has been involved in information technology projects since 1977 and has specialized in information security and regulatory compliance for the last ten years. He is a past-President of the ISSA Denver Chapter and continues to be active in the Denver and Colorado Springs information security communities. Mr. Smith has presented at a number of professional conferences and is the author of several articles that have been published in professional journals. Mr. Smith also teaches the MCIS 4680, “Cryptography with Lab,� course at Denver University. He can be reached at