How is your organization handling the disposal and storage of sensitive or confidential information / data? This is often a topic / area that can be overlooked but that is a big mistake. Check out these following examples of organizations that made this mistake:

–          In November of 2017, Charles River Medical Associates, a part of Partners Healthcare System with 75 multispecialty providers serving 15 sites in the Boston area discovered that an unencrypted portable hard drive was missing. As a result, the organization sent out a data breach notification to 9,387 individuals.

–          In January of 2016, Centene Corporation – a St. Louis based company that provides health plans for government-sponsored programs – reported that six unencrypted hard drives containing protected health information for 950,000 individuals were missing.

–          In 2011, theft of unencrypted backup tapes from the car of an employee of Science Applications International Corporation, a business associate of TRICARE, affected about 4.9 million individuals.

Encryption

As you can see, the above situations all had a couple things in common (at least). The one thing that I would say trumps all comparisons – and not in a good way – is the fact that the drives were not encrypted. If you keep your backup drives encrypted than you have a lot less to worry about because without the encryption password, any would-be data thief would see only gibberish. This is hugely important if we are transporting drives off-site, transporting drives throughout the building frequently, or keeping drives in storage for an extended amount of time. But what if our drives are never doing those things, and instead, they remain securely onsite?

Some privacy and security experts contend that the need to always encrypt hard drives is not as clear cut as the need to encrypt, for example, data on laptops. “Many organizations do not encrypt hard drives, depending on what types of [computing] devices they’re in and where the drives are physically located,” says Kate Borten, founder of security and privacy consulting firm, The Marblehead Group. “Encryption is an addressable specification, allowing for alternative equivalent controls in some situations. Organizations may determine that their physical controls over certain hard drives that never leave the data center or other secure areas are sufficient protection,” she notes. “Also, for drives that never leave the premises, there is a cost to encryption that must be weighed against the benefit. This isn’t always a black-and-white decision. However, data storage on end-user portable and mobile devices and media, such as USB flash drives, carries very high risk and should routinely be encrypted.”

In scenarios that we decide not to utilize encryption, it is much more important that we have proper inventory and storage measures/procedures established. Additionally, it is vital that we have physical security measures in place. Without the use of encryption, you should not allow a drive to be taken offsite without strict security measures in place or without the data having been properly destroyed.

Destruction

Phiston Technologies sums this up nicely, “The reason why hard drive destruction is important, is because it’s a way of ensuring that none of your info gets compromised. Think of it as the same way you would a paper shredder. When you have secure files and documents, shredding them ensures that no one has access to your info anymore. If you were to just throw your papers away, someone could reach into the trash and pull out any important documents. The same applies to your hard drive as well. There are always people out there looking to compromise sensitive info, even if it means going through your discarded belongings.”

This is why destroying your hard drive is essential. It’s a way to cut off all access that anyone could potentially have to your sensitive data. Destroying a hard drive isn’t that hard, in fact, it’s quite easy. You don’t need to have any specific or special skills, you really don’t need that fancy of tools to get the job done at the most basic level. Almost anything can cause a sufficient amount of damage to the platters which will result in the data being unrecoverable.

Options for Data Destruction:

–          Physical Destruction – One of the easiest and cheapest methods of destroying your hard drive would certainly be doing it yourself. While performing this method, it is vital that you do significant enough damage to ensure the data is unrecoverable. Drilling holes through the hard drive itself, taking a sledgehammer to the drive, etc. are all possible methods.

–          Software-based shredders – Software-based hard drive shredders employ complex algorithms to erase or overwrite the data on a hard-drive multiple times so that it cannot be read again. The most common process entails deleting the data and then replacing it with arbitrary characters.

–          Degaussing – Degaussing uses magnets to completely destroy hard drives and render them unusable. Degaussing employs machines specially designed to destroy data on a hard drive permanently. Many data destruction techniques use combination methods that typically start with degaussing and end with a physical destruction process or recycling. If you have highly sensitive data stored on old hard drives, the best and only way to dispose of the drives is to choose a military-grade destruction solution that is NSA certified.

Taking it a step further – Questions to ask of your organization:

Are there shred bins located throughout your organization?

–          It is ideal to have shred bins, boxes, or some designated area that employees can place documents that are waiting disposal. Throughout the day, we all have various documents that are no longer needed and when this occurs we need a place to put these documents – instead of just laying them around. Ideally, this place would be in a secure area and not just out in the open. Some organizations will have designated shredder(s) in which employees can shred documents on a need-be basis throughout the day and others will have a shred bin or multiple shred bins that documents can be put into and then emptied into a secure and localized shred bin in which these documents would be shredded at a later date.

Are shred bins emptied to a centralized location? How often? Is it secure?

–          If we are utilizing shred bins to store documents waiting for disposal then these shred bins need to be emptied into a centralized and secure location on a frequent basis, ideally this is done daily. This way, we do not have sensitive documents laying around with the possibility of being discovered.

How often are documents shredded? Is a third party used for this?

–          If we are not shredding documents on a frequent basis and instead, storing the documents to be shred at a later time, then we need to have a set time in which these un-shred documents will be shred. This will more than likely be based on how much material your organization will go through in a given period of time. We must also figure out if we are going to have a 3^rd party vendor shred the documents or if we are handling this in-house. If this is done in-house, it is vital that we are not just laying the sensitive scraps around – for example, in a dumpster – for a possible dumpster dive attempt from a malicious party. Be cognizant of the fact that a dumpster dive can reveal a ton of sensitive information.

How is electronic media disposed of?

–          Do we destroy electronic media (e.g., hard-drives) in-house or are we hiring a 3^rd party to destroy them? If we are handling this in-house, then ensure that the proper steps are taken to ensure that the data is properly removed, and the hard-drive is destroyed. If we are hiring a 3^rd party to handle this, then ensure that we are receiving a certificate of destruction from the 3^rd party.

Are hard-drives stored in a secure manner while waiting for disposal? Are serial numbers of hard-drives waiting for disposal logged?

–          Data is the single most important asset of your organization and a hard-drive contains this valuable data. So, when we remove hard-drives and we are waiting to dispose of them, it is vital that we are storing these hard-drives in a secure manner. This could be in a locked safe, vault, etc. Also, upon removal of the hard-drive, log the serial numbers. This is a simple yet vital step. By logging the serial numbers of hard-drives, we are able to then compare the list of hard-drives that were removed to the list of hard-drives that are then destroyed at a later date. This will ensure that we did not lose any hard-drives in storage or transit.

Written By Chad Gutschenritter

Post based off the following article by Rob Pegoraro: Even a dead hard drive can give away your private info. Here’s how to delete it for good.

https://www.usatoday.com/story/tech/columnist/2018/05/31/dead-hard-drive-how-delete-your-sensitive-data-good/658037002/