data destruction Archives - Page 9 of 10

How to Effectively Maintain HIPAA Compliance in the Cloud

January 21, 2019 at 8:23 pm by Heidi White

In today’s digital age, the majority of data is stored electronically in internet-based cloud software. Whether for convenience or accessibility, or due to physical hardware storage limitations, using a cloud to store data has become a norm for businesses, organizations, and individuals alike. And while cloud systems offer security measures that physical storage systems cannot, they also come with their own set of risks and security threats.

Moreover, the size and even financial power of an organization doesn’t necessarily equate to better and more secure methods of privacy protection for data stored in its cloud. Recent data breaches at large data centers like Experian, Facebook, and Target have proven that the proper protection of private and otherwise sensitive information is paramount, especially when stored electronically.

For healthcare providers, professionals, and clearinghouses (hereto referred as covered entities), HIPAA has specific regulations for safeguarding Protected Health Information (PHI), especially when it comes to the disposal of such sensitive and private data.

HIPAA Regulations & Best Practices for Data Disposal

If you’re a covered entity and need to dispose of data containing PHI, you cannot simply abandon the PHI data or dispose of it using a public container like a dumpster that can be accessed by unauthorized personnel. The only time this is appropriate is if the PHI has already been rendered unreadable, indecipherable and otherwise cannot be reconstructed. In order to fully destroy this data, certain steps must be followed.

The HIPAA Privacy Rule requires the covered entity to implement appropriate physical (e.g., facility access and control; workstation and device security), technical (e.g., access control; audit controls; integrity controls; transmission security), and administrative (e.g., security management process; security personnel; information access management; workforce training; policy and procedure evaluation) safeguards for PHI to avoid prohibited as well as incidental use and disclosure of the PHI data. See 45 CFR 164.530(c).

This Rule holds especially true with the disposal of PHI and requires the covered entity to not only destroy the electronic PHI (ePHI) and the hardware or electronic media it is stored on, but to first properly dispose of the ePHI data on the media before that media is made ready for reuse.

In addition, the HIPAA Security Rule also requires the covered entity to set policies and procedures for the disposal of ePHI. As part of this mandatory safeguard process, covered entities must also train their workforce members on the proper disposal policies and procedures erected and enforce these policies. See 45 CFR 164.310(d)(2)(i).

It is up to the covered entity to determine a method of data destruction and disposal, by assessing their own potential risks to patient privacy as well as the form, type, and amount of PHI collected and stored. For instance, PHI such as name, social security number, driver’s license number, diagnosis, or treatment information are examples of sensitive information that may necessitate more care with regard to disposal. HIPAA does not require one method of data destruction and disposal over another, so long as the Security and Privacy Rules are followed.

HIPAA-degauss — Degaussing is a method of data disposal that completely erases the drive, rendering it unusable

In the case of ePHI, whether on hardware or in an internet cloud system, proper HIPAA disposal methods include overwriting non-sensitive information with software or hardware to clear the data, degaussing the media and rendering the magnetic field permanently unusable, or destroying the media by shredding, melting, pulverization, disintegration, or incineration. You may also opt to maintain a secure area for PHI disposal and/or you are permitted to work with a disposal vendor like SEM to destroy the PHI on your organization’s behalf (so long as there is a written agreement or contract authorized by both parties). There are no set HIPAA rules for how employees or workforce members dispose of PHI; if you have off-site employees who use PHI or ePHI, you can require that they return all PHI to your organization for proper disposal.

Failure to adhere to the HIPAA Security and Privacy Rules could result in unlawful release of PHI, and consequently, the potential for identity theft, employment discrimination or even harm to the individual’s reputation.Moreover, the covered entity can face serious penalties for noncompliance.

Penalties for Noncompliance

In tandem with the Department of Justice, the Department of Health and Human Services (HHS) and its Office for Civil Rights (OCR) are responsible for the administration and enforcement of the HIPAA Security and Privacy Rules for the disposal of PHI.

Failure to comply with the HIPAA Security and Privacy Rules can result in an investigation and audit, and in some circumstances civil and criminal penalties. Factors such as violation date, whether the covered entity was aware of the failure to comply, or whether the failure to comply by the covered entity was willful neglect will determine the end consequence of the violation to either the Privacy or Security Rule.

If found guilty or in violation of either Rule, civil money penalties of $100 up to $50,000 per violation (and not exceeding $1,500,000 per calendar year for multiple violations) can be imposed. A civil penalty may not be imposed under certain circumstances, such as: the failure to comply was not due to willful neglect and was corrected during a 30-day period from the date in which the violation occurred; if the Department of Justice has imposed a criminal penalty; or, if the OCR chooses to reduce the penalty due to reasonable cause in the covered entity’s failure to comply, in that the penalty would be excessive given the nature and extent of the noncompliance.

In addition, criminal prosecution, in the form of a fine of $50,000 and up to one year of imprisonment, can be mandated for a person who knowingly obtains or discloses PHI and ePHI, which can occur as a result of improper disposal of the PHI. The criminal penalty increases to $100,000 and up to five years of imprisonment if the violation involves false pretenses, and to $250,000 and up to 10 years of imprisonment if the wrongful act involves the intent to sell, transfer or use the PHI for commercial advantage, personal gain, or malicious harm.

One last note: the HIPAA Privacy Rule does not include requirements for the length of time medical data like PHI should be retained before disposal. Instead, check with your state’s laws for medical record retention rules before disposing of any data.

The Criticality of On-Site Data Destruction in Secure IT Asset Disposal

November 21, 2018 at 3:38 pm by Heidi White

As the world marches inexorably towards a completely digital future, there is an ever-increasing demand for cloud-based data storage. To accommodate this digital sprawl, expansive data centers are being built at a rapid rate, with their servers continuously writing and overwriting data onto increasingly dense hard drives, with absolutely no downtime. As a result, data centers are constantly removing and replacing hard drives as they fail. The big question: what happens to the old drives?

The answer is not a simple one. Several methodologies are utilized for end-of-life data disposal, many of which are determined by security compliance requirements — such as NSA, NIST, HIPAA, and more recently GDPR— as well as health, safety, and environmental standards. In addition, volume of e-waste and drive type also come into play when determining the best solution for IT asset disposition, or ITAD. Regardless of the methodology employed, the commonality of secure ITAD is the critical importance of complete data sanitization.

News stories on data breaches, cybersecurity threats, and compromised personal information have become a daily occurrence, and both rotational hard disk drives (HDDs) and solid state drives (SSDs) store vast amounts of data on small surfaces. Even when these devices are cracked, scratched, or broken, data is still retrievable from remaining fragments — as long as the remaining pieces are large enough. Drilling into a platter-based hard drive or snapping a solid state drive into several pieces is largely ineffective at preventing the possibility of data retrieval. Likewise, erasure, overwriting, and/or reuse of hard drives is a completely inadequate method of end-of-life data disposal. Erasure and overwriting frequently miss small blocks of data on the drive, making reuse an absolute security disaster. Even small amounts of personal or sensitive data left on a drive can result in catastrophe if the device is compromised. Any company truly concerned about secure ITAD understands that total destruction of the drive is the only acceptable option.

HDD and SSD destruction is accomplished through crushing, shredding, or disintegration of the drive, and the ultimate solution is largely dependent upon drive type, volume, and security requirements. In addition, convenience, operator health and safety, space limitations, user interface, noise concerns, and budget also have an impact. Choosing the right solution isn’t as simple as picking a shredder from a catalog, and instead requires a comprehensive situational consultation and assessment. Because most manufacturers of data destruction devices don’t offer consultative services, many data centers, hospitals, educational, and financial institutions find themselves frustrated with the process and instead turn to outside vendors to manage their data destruction – a decision that invites the potential for serious consequences.

Third party data destruction services are available as either off-site or on-site. Off-site services pick up discarded drives at the client’s location and transport them to a data destruction center. The inherent risk with off-site data destruction is three-fold:

Allowing drives with live data to leave the premises increases liability.
Some less-than-savory off-site destruction companies have been known to employ questionable business practices. For example, one company caught their disposal vendor trying to outsource destruction to a third party, and then caught a different vendor selling off old devices rather than destroying them, even though their contract explicitly said not to do so.
The extended chain of custody with off-site destruction exacerbates risk.

Third party on-site data destruction is a better option, but still carries with it some uncertainty. Third-party destruction services only provide the most commonly utilized destruction devices; therefore, unique devices and more stringent regulatory requirements present challenges to many third-party providers. In addition, drives still physically leave the premises and are in the hands of people not in the drive owner’s employ. Unfortunately, the introduction of each and every outside element adds a layer of risk that exponentially increases liability.

degauss-destroy — SEM’s degauss, destroy, document bundle provides audit-proof peace of mind for secure information end-of-life. NSA listed and NIST compliant.

Clearly, the safest, most secure methodology for sensitive end-of-life asset disposal is in-house, on-site hard drive destruction. Fortunately, solutions exist that readily meet the strictest regulatory, health, safety, and environmental requirements, as well as accommodate today’s more rugged enterprise drives and ever-increasing drive volume. Shredders and disintegrators are available with different final particle shred sizes, horsepower, throughput, and even noise level, and degaussing and crushing solutions are available that meet even the NSA’s stringent two-step requirement for secure HDD disposal. The most demanding organizations will even find the availability of comprehensive in-house documentation options that provide a fully audit-proof destruction paper trail for meticulous record-keeping that mitigates liability.

SEM has over 50 years of industry experience. Click for timeline.

One question remains: what is the best in-house data destruction setup? The reality is that there is no easy answer. Determining the most efficient and effective solution can pose a challenge without proper guidance, and most data destruction solution providers have limited depth of expertise. After all, the demand for large-scale secure data destruction is relatively new, as data centers didn’t even exist until the early 1990s. Having been in the secure information destruction business since 1967, SEM provides a unique approach to end-of-life ITAD by working as a trusted partner with our clients, who benefit from our extensive industry knowledge and decades of experience with top secret government clients and their demanding destruction requirements. The good news is that once the most cost-effective and secure in-house data destruction solution has been determined, security-focused organizations enjoy the ultimate in data protection, efficiency, and peace of mind.

Is Your Data Disposal Plan GDPR-Ready?

at 3:29 pm by Heidi White

With GDPR just around the corner, data security has been enjoying some much-needed time in the limelight. Never before has there been such a hyper-focus on the protection of sensitive data, particularly confidential and personally identifiable information (PII) such as healthcare records, personal data, financial information, and legal records. While data privacy conversations have more traditionally revolved around identify theft issues, the new GDPR regulation prioritizes the fiduciary responsibility of all sensitive and personal information.

Savvy organizations began planning and implementing their GDPR compliance programs months ago. Because of the numerous ways in which GDPR mandates data privacy across all storage media and within all facets of an organization, a comprehensive compliance program requires a well-researched, detailed approach with multi-departmental buy-in and execution.

For example, a healthcare provider possessing sensitive patient data in the form of medical records is obvious. What would not be so obvious would be the numerous other places where a patient’s PII may reside. The scheduling department keeps PII such as address and birthdate, the billing department has financial and insurance information, while the marketing department may possess email and browsing data for patient communications. And let’s not forget the backup servers. Personal data is literally everywhere.

Safeguarding sensitive data throughout an organization is critical, and many organizations are well aware of the need for firewalls, passwords, physical security measures, encryption, and employee training. What may be more of a need and challenge for some organizations is GDPR’s Article 17 Right to Erasure, also known as the “right to be forgotten.” While it is not an absolute, the basic premise of Article 17 is that an individual’s request to have his data removed must be honored within 30 days. In some instances, the request is not realistic. For example, banks must retain records for a minimum of seven years, so deleting the data would be in direct conflict to an existing legal mandate. However, Article 17 states that individuals have the right to have their personal data erased without undue delay if the data is no longer necessary for the purpose for which it was originally processed or collected, and this applies in a large number of cases with consumer transactions.

Consumer transactions typically include the storage of personal information such as address, phone, and payment information. While large organizations may have their own servers and storage solutions and are therefore more easily able to purge a consumer’s data from their system, the thousands of smaller organizations typically rely on outside vendors and cloud storage providers to manage their data. Data stored in the cloud is actually housed in data centers, where data is duplicated across multiple drives in an effort to create redundancies that help to mitigate data loss when drives fail — and drives DO fail on a very regular basis. After all, these drives are running 24 hours a day, seven days a week, year-round, so their life expectancy is understandably rather short. When a drive fails, the data it contains is still for the most part intact. Therefore, a comprehensive data disposition program should always include drive destruction so that personal data is not compromised at end-of-life. But end-of-life is only part of the problem. Smaller organizations and others who outsource their data storage must confirm with their providers that their data removal policy is GDPR compliant and must include policies and procedures for the Right to Erasure in their GDPR programs.

GDPR is a broad and encompassing regulation that is actually long overdue. While implementing a GDPR program is proving to be more challenging than organizations may have originally thought, particularly with regard to Article 17 and the Right to Erasure, the safeguarding of data and the diligent focus on data privacy have been positive results of GDPR. In a time where data breaches and identity theft are increasing exponentially, the implementation of a means by which to protect our privacy and security is most welcome.

US-CERT Issues Security Tip (ST18-005) on Proper Disposal of Electronic Devices

November 1, 2018 at 1:51 pm by Heidi White

Why is it important to dispose of electronic devices safely?

US-CERT is a division of Homeland Security

In addition to effectively securing sensitive information on electronic devices, it is important to follow best practices for electronic device disposal. Computers, smartphones, and cameras allow you to keep a great deal of information at your fingertips, but when you dispose of, donate, or recycle a device you may inadvertently disclose sensitive information which could be exploited by cyber criminals.

Types of electronic devices include:

Computers, smartphones, and tablets — electronic devices that can automatically store and process data; most contain a central processing unit and memory, and use an operating system that runs programs and applications.
Digital media — these electronic devices create, store, and play digital content. Digital media devices include items like digital cameras and media players.
External hardware and peripheral devices — hardware devices that provide input and output for computers, such as printers, monitors, and external hard drives; these devices contain permanently stored digital characters.
Gaming consoles — electronic, digital, or computer devices that output a video signal or visual image to display a video game.

What are some effective methods for removing data from your device?

There are a variety of methods for permanently erasing data from your devices (also called sanitizing). Because methods of sanitization vary according to device, it is important to use the method that applies to that particular device.

Methods for sanitization:

Backing Up Data

Saving your data to another device or a second location (e.g., an external hard drive or the cloud) can help you recover your data if your device is stolen. Options for digital storage include cloud data services, CDs, DVDs, and removable flash drives or removable hard drives (see Protecting Portable Devices: Data Security for more information). Backing up your data can also help you identify exactly what information a thief may have been able to access.

Deleting Data

Removing data from your device can be one method of sanitization. When you delete files from a device—although the files may appear to have been removed—data remains on the media even after a delete or format command is executed. Do not rely solely on the deletion method you routinely use, such as moving a file to the trash or recycle bin or selecting “delete” from the menu. Even if you empty the trash, the deleted files are still on device and can be retrieved. Permanent data deletion requires several steps.

Computers. Use a disk cleaning software designed to permanently remove the data stored on a computer hard drive to prevent the possibility of recovery.

Secure erase. This is a set of commands in the firmware of most computer hard drives. If you select a program that runs the secure erase command set, it will erase the data by overwriting all areas of the hard drive.
Disk wiping. This is a utility that erases sensitive information on hard drives and securely wipes flash drives and secure digital cards.

Smartphones and tablets. Ensure that all data is removed from your device by performing a “hard reset.” This will return the device to its original factory settings. Each device has a different hard reset procedure, but most smartphones and tablets can be reset through their settings. In addition, physically remove the memory card and the subscriber identity module card, if your device has one.

Digital cameras, media players, and gaming consoles. Perform a standard factory reset (i.e., a hard reset) and physically remove the hard drive or memory card.

Office equipment (e.g., copiers, printers, fax machines, multifunction devices). Remove any memory cards from the equipment. Perform a full manufacture reset to restore the equipment to its factory default.

Overwriting

Another method of sanitization is to delete sensitive information and write new binary data over it. Using random data instead of easily identifiable patterns makes it harder for attackers to discover the original information underneath. Since data stored on a computer is written in binary code—strings of 0s and 1s—one method of overwriting is to zero-fill a hard disk and select programs that use all zeros in the last layer. Users should overwrite the entire hard disk and add multiple layers of new data (three to seven passes of new binary data) to prevent attackers from obtaining the original data.

Cipher.exe is a built-in command-line tool in Microsoft Windows operating systems that can be used to encrypt or decrypt data on New Technology File System drives. This tool also securely deletes data by overwriting it.
Clearing is a level of media sanitation that does not allow information to be retrieved by data, disk, or file recovery utilities. The National Institute of Standards and Technology (NIST) notes that devices must be resistant to keystroke recovery attempts from standard input devices (e.g., a keyboard or mouse) and from data scavenging tools.

Destroying

Physical destruction of a device is the ultimate way to prevent others from retrieving your information. Specialized services are available that will disintegrate, burn, melt, or pulverize your computer drive and other devices. These sanitization methods are designed to completely destroy the media and are typically carried out at an outsourced metal destruction or licensed incineration facility. If you choose not to use a service, you can destroy your hard drive by driving nails or drilling holes into the device yourself. The remaining physical pieces of the drive must be small enough (at least 1/125 inches) that your information cannot be reconstructed from them. There are also hardware devices available that erase CDs and DVDs by destroying their surface.

Magnetic media degaussers. Degaussers expose devices to strong magnetic fields that remove the data that is magnetically stored on traditional magnetic media.
Solid-state destruction. The destruction of all data storage chip memory by crushing, shredding, or disintegration is called solid-state destruction. Solid-State Drives should be destroyed with devices that are specifically engineered for this purpose.
CD and DVD destruction. Many office and home paper shredders can shred CDs and DVDs (be sure to check that the shredder you are using can shred CDs and DVDs before attempting this method).

For more information, see the NIST Special Publication 800-88 Guidelines for Media Sanitization.

How can you safely dispose of out-of-date electronic devices?

Electronic waste (sometimes called e-waste) is a term used to describe electronics that are nearing the end of their useful life and are discarded, donated, or recycled. Although donating and recycling electronic devices conserves natural resources, you may still choose to dispose of e-waste by contacting your local landfill and requesting a designated e-waste drop off location. Be aware that although there are many options for disposal, it is your responsibility to ensure that the location chosen is reputable and certified. Visit the Environmental Protection Agency’s (EPA) Electronics Donation and Recycling webpage for additional information on donating and recycling electronics. For information on recycling regulations and facilities in your state, visit the EPA Regulations, Initiatives, and Research on Electronics Stewardship webpage.

Security Engineered Machinery Turns Electronic Data Into Dust

October 31, 2018 at 1:24 pm by Heidi White

Leonard Rosen, SEM Founder and Chairman of the Board

As the world becomes more technologically advanced, so has the world of data destruction. Westborough-based Security Engineered Machinery, founded more than 50 years ago, has met that demand with devices that destroy hard drives. Founder Leonard Rosen spoke to WBJ about the company’s role in securing the information of government agencies and government contractors.

How does SEM help keep the country’s data secure?

Every military installation — and company of note — is involved with electronic media. In the past, it was all paper. As time went on and advancements were made in communications and data storage, electronic media became the ultimate in information accumulation.

We have adapted by coming out with machines that can destroy the information on these new devices.

What kind of machines?

Our biggest area of expertise is in hard-drive destruction. That’s done in several ways. One is by deaussing, which is introducing a magnetic charge to a hard drive that basically erases that information.

Are the physical items also destroyed?

We have crushers that exert force into a hard drive and very heavy-duty shredders that accept hard drives and chew them up into tiny pieces.

How much communication is there with customers on new adapting SEM devices to fit their needs?

Depending on what the government agency or defense contractor is doing, we can adapt our machines to meet whatever security requirement they have.

SEM does work with defense contractors?

You’ll be hard pressed to find a major defense contractor in the U.S. that doesn’t use our technology.

Do these products have to meet any government standards?

When we find out what new devices need to be destroyed, we either have something that can destroy it or we start designing one that can do it. Once we have a completed product that we have confidence in, we sent it to National Security Administration for evaluation.

How is it evaluated?

They put it through volume tests, but the end product is more important. The toughest thing we’re doing now is destroying solid state drives. There’s so many layers of information in those, so it’s a two-step situation.

Original post by Worcester Business Journal on wbjournal.com

This interview was conducted and edited for length and clarity by WBJ Staff Writer Zachary Comeau.

SEM Supports Civil Air Patrol

June 24, 2018 at 5:44 pm by Heidi White

SEM has made a donation to the Civil Air Patrol in honor of Karl Lotvedt, SEM DC Sales Support Representative, who is Commander of the Osprey Composite Squadron of the Maryland Wing of Civil Air Patrol.

Civil Air Patrol (CAP) is a wholly volunteer organization that is an auxiliary of the USAF. CAP has three primary missions:

Cadet programs: Teach cadets ages 12-21 about leadership, responsibility, respect, organization, drill, and ceremonies.
Aerospace Education: Teach about how and why an airplane flies in which cadets get five hours in control of a single engine Cessna (next to the pilot) and five hours in a glider. They also have the opportunity to become a private pilot.
Emergency Services: Search and rescue.

Karl’s role as a commander requires him to oversee all the training of his cadets and seniors (adult officers) to make sure they are ready when called for a mission, which are given to them by the USAF. Karl became involved with CAP in 2003 after he retired from the United States Air Force. He began at the Martin State Airport squadron in Essex before starting the Osprey Composite Squadron in Dundalk, MD.

“A lot of patriotism is lost in today’s world, especially among the younger people, and the CAP can help restore that,” commented Karl. “We’re a small squadron but we are there if we are ever needed.”

SEM is incredibly appreciative of Karl for his tireless efforts with Civil Air Patrol, and we are honored to support this noble cause. For more information, visit www.gocivilairpatrol.com.

Masters of Destruction – Electronic Media Shredding

June 13, 2018 at 4:29 pm by SEM

Tuesday, November 28, 2006

Masters of Destruction

Westboro company specialist in sensitive data

By Martin Luttrell TELEGRAM & GAZETTE STAFF

For decades, the federal government and private businesses have used Security Engineered Machinery equipment to shred paper records, and more recently, computer drives, CDs and other electronic records.

And with sensitive information remaining on old computer hard drives, cell phones and BlackBerries, the Walkup Drive company is expanding into full-service data destruction for clients that want secure handling and destruction of their electronic devices.

Founded in Millbury in the late 1960s, SEM employs 44 and is the largest manufacturer of document- and electronic-disintegration equipment, with its shredding and disintegration machines in use by the Departments of Defense and Homeland Security, in State Department embassies around the world and by the U.S. Postal Service. More than 400 central banks worldwide use the company’s equipment for shredding old currency.

The federal government has been the biggest customer, but private industry is catching up as accidental releases of sensitive data make headlines.

SEM showed a reporter a room the company renovated from warehouse space that now houses machines for shredding computers and other electronic data storage devices. Computer hard drives, keyboards and towers moved up an inclined conveyer about 12 feet, where they were dropped into a hopper and ground into pieces an inch or two in size.

“The federal government is light years ahead of the private sector in security,” Mr. Dempsey said. “A lot of companies have paper shredders. But what happens to a CD or diskette? The government has been doing this for years.

“There is not a piece of equipment here that has not been cleared by the NSA (National Security Agency) for classified destruction,” he said. “Not all companies will spend $25,000 for a machine like this. That’s where this service comes into play. We have people that walk in with one hard drive, and we’ll destroy it and let them witness it.”

Clients who ship their items to SEM can even watch over a designated Web site as their computers or other items are destroyed; some 17 video cameras mounted in the ceiling, and more in the hoppers of the machines, beam images of the process.

“We send it premium freight so it can be tracked door to door,” he said. “Some clients put GPS (global positioning system) inside so they know where it is all the time.”

SEM puts bar codes on the hard drives slated for destruction so the customer can document the process, he said.

Inside a locked cage along one wall were several cases and military transport containers holding computer components slated for destruction.

“We look at ourselves as being in the security business,” Mr. Dempsey said. “We approach our shredding as a security division. We’re interested in hard drives, cell phones, DVDs, CD-ROMs and unconventional items,” including X-rays, he said.

Mr. Dempsey held pieces of a computer that had gone through a disintegrator, noting that they were a couple of inches in length. Some clients require that their magnetic data items be in smaller pieces, and those go into another machine, which tears them into pieces an eighth of an inch in diameter.

He pointed out that a piece of a CD that goes through an office shredder contains much more information than would be printed on a piece of office paper. Sophisticated equipment could be used to retrieve that information, along with data thought to be deleted from hard drives, cell phones and other electronic devices, he said.

In addition to tearing electronic data equipment into small pieces, SEM can also use a method known as degaussing, or erasing electronic data, before destroying it, he said.

“From a private-industry point of view, degaussing is all you need to do,” Mr. Dempsey said. “What we’re now seeing in Fortune 500 companies is that they’re defaulting to the federal government’s standards that are NSA-approved.”

He said that when companies consider the damage that could result from sensitive information being compromised, data security is increasingly in demand.

“We bring credibility to the table,” he said. “We’re in the security business. Quite a few of our employees have obtained clearances. They get a background check. We do DOD work. Anyone in this room would need a clearance,” he said, referring to those working in the company’s destruction service.

All employees are drug-screened and go through background and criminal checks, he said.

Mr. Dempsey would not talk about the private company’s finances, but said it made $20,000 from its destruction services two years ago and $300,000 this year. The demand is growing, he said.

“We’ve seen an explosion from companies with financial and health care” records. “With some of the information compromises that have been in the press, they’re adapting. We know how to deal with those issues. …Crisis management is not proactive. That happens after data has been compromised.”

He said the company spent 13 months renovating the area now used for destruction services. Now, he wants the operation to be deemed a secure facility so that it can take on the federal government as a client. That could take another year, he said.

“So far, we’ve been under the radar, doing this as a favor for our clients.”

Talking Trash

at 4:28 pm by SEM

MGMA Connexion, Mar 2004 by Leonard Rosen

Options for the storage and disposal of medical records

As health care organizations endeavor to comply with privacy and security standards mandated by the Health Insurance Portability and Accountability Act (HIPAA), there is growing interest in effective and efficient ways to manage protected medical records – and how to destroy them once they become obsolete.

Neither HIPAA’s privacy standards for paper documents nor its security standards for electronic records dictate specific means of compliance. However, the preamble to Section 164.530 does cite a few examples of appropriate safeguards, such as locking file cabinets that contain protected documents and shredding such documents prior to disposal. For electronic media, Section 164.310 (“Physical safeguards”) requires covered entities to address the “final disposition of electronic protected health information and/or the hardware or electronic media on which it is stored” and to implement procedures for “removal of electronic protected health information from electronic media before the media are made available for re-use.”

Each group’s appointed privacy official must decide which procedures and equipment will best prevent unauthorized, unnecessary and inadvertent disclosure of protected information. For storage, this means locked office doors and cabinets, computer firewalls and passwords, etc. For disposal, it means destroying records. No one should be able to dig trashed records out of the dumpster and misuse them. Discarded medical information often is still confidential.

Destruction equipment abounds The market offers a variety of record destruction equipment. Paper shredders come in all sizes, speeds, horsepowers and capacities, but there are three basic choices:

Personal – Desk-side shredders, available on casters for portability, can shred roughly six to 20 sheets at a time. This is convenient for offices with relatively few documents to destroy.
Departmental – Larger facilities with more documents to dispose of may install shredders that can handle 20-50 sheets at a time.
Centralized – A heavy-duty shredder can handle up to 400 sheets at a time and destroy bound reports and thick stacks of paper.

Whatever shredder models your practice selects, you will need protocols for managing shredded waste. Some companies offer regular pickup, transporting the trash to landfills or recycling facilities. Also on the market are powerful disintegrators that use rotary-knife systems to reduce high volumes of books, binders, paper bundles and other bulk materials to tiny particles. Depending on the model, these machines even pulverize CDs, DVDs, floppy discs, microfilm, credit cards, ID badges, tape cassettes and circuit boards, slicing them into indecipherable fragments at the rate of up to two tons per hour. Other machines, designed specifically for optical media, can completely remove data-bearing surfaces from CDs and DVDs. Because they leave inner disc hubs intact, the hubs serve as proof of destruction, eliminating the need for detailed logs and witnesses where certification of destruction is required. Old computers can tell tales Security may become an issue when a practice donates old computers to a school or some other organization. Most people don’t know that when a digital file is “deleted,” the information actually remains on the computer’s hard drive or a formatted diskette, as do deleted e-mail messages and records of online activity. This information is recoverable with sophisticated tools. Disk-wiping software can prevent unauthorized recovery by overwriting entire drives/disks – or particular sections of them -before these magnetic media are discarded or reused. Overwritten areas should be unreadable, but look for a software brand that meets or exceeds the Department of Defense standard for permanent erasure of digital information. When you require absolute certainty in erasing magnetic media, certain degaussers remove all recorded information in a single pass, allowing hard drives, diskettes, audio and video tapes, and four- and eight-millimeter data cartridges to be reused many times with no interference from previous use. Hand-held degaussing wands erase both floppy and hard computer disks. For both electronic and paper records, the variety of equipment on the market today enables a medical practice to tailor record-disposal to its particular needs.

Destruction System reduces SSDs and other Electronic Media to Less Than 0.5mm Particles – Meets DIN E-7

at 4:06 pm by SEM

WESTBORO, MA — The SEM Model SSD1-HS from Security Engineered Machinery reduces solid state devices to waste particles of .5mm squared or less and meets DIN 66399 Standard E-7; smaller than the NSA requirement for sanitization of SSD devices per NSA/CSS EPL 9-12. Absolute destruction through repetitive high speed cutting of memory media ensure all data is properly sanitized.

Storage media is continuously cut until it is small enough to pass through a customer selected waste sizing system to meet customer’s security level or a specific DIN Level. Items that can be destroyed in the Model SSD1-HS include solid state boards, RAM, smart phone / cell phone components, SIM cards, USB flash drives, compact flash and even optical discs. The Model SSD1-HS is a compact, self-contained destruction system with all components housed within a custom enclosure for maximum sound, odor and dust control.

The Model SSD1-HS destruction capacity is dependent on the media being destroyed and the customer selected sizing screen.

An ergonomic operator interface allows easy viewing and control of all machine functions. The Model SSD1-HS features an interlocked feed slide with integrated feeding protocols ensuring proper metering of media through the data sanitization process. Safety interlocks prevent operation when any safety guard or panel is not in place or waste disposal is required. An air filtration system consisting of a carbon pre-filter and HEPA filter is also included.

Security Engineered Machinery, SEM, is an innovative designer and manufacturer of data-destruction equipment located in Westboro Massachusetts. SEM supplies mission critical EOL equipment to the US Federal Government including the DoD and other intelligence agencies, as well as large multinational datacenter operators. SEM’s engineering staff is available to assist customers with special products and systems that will sanitize any media / material down to stakeholder required sanitization levels such as high volume central destruction systems used by nationally recognized commercial banks and healthcare organizations. Areas of expertise include the destruction of hard drives and other mixed media and heavy-duty, high-capacity shredders for recycling applications.

For more information, contact James T. Norris, Norris & Company, 264 Bodwell Street, Avon, MA 02322 Tel: (508) 510-5626, FAX: (508) 510-4180, E-mail: jim@norrisco.com

SEM 2 in 1 Crusher for Either HDD or SSD Media

at 4:04 pm by SEM

WESTBORO, MA — The SEM Model 0101, an NSA evaluated and listed destruction device for all computer hard drives regardless of their size, format or type, can now be factory configured for dual media destruction of either HDD or SSD media. The Model 0101 Hard Drive Crusher from Security Engineered Machinery has long been the choice of the Federal Government, US Military and Fortune 1000 companies for physical destruction of HDDs.

The SEM Model 0101 Crusher can now be purchased with a factory installed SSD Kit allowing the system to perform dual media destruction of either HDDs or SSDs. The SSD Kit consists of a specially designed hardened steel anvil with 292 piercing spikes, an SSD Wear Plate, and an SSD Press Plate. The large number of spikes on the anvil ensures each data bearing chip is damaged during the operating cycle. Solid State media that can be destroyed include memory sticks and circuit/controller boards found on hard drives, SSD drives, cell phones, tablets and similar devices up to 5.39” x 5.39” (137mm x 137mm).

The Model 0101 with integrated SSD Kit also includes a standard HDD anvil and can be easily exchanged in the field for the destruction of conventional hard drives and other rotational magnetic media.

Offices, hospitals, data centers, and other facilities can destroy confidential/sensitive information in a timely manner in accordance with government regulations and industry standards (HIPAA, FACTA, SOX, PCI DSS, etc.). The Model 0101 also satisfies National Security Agency requirements for physical destruction of rotational drives after they have been degaussed in an NSA-listed degausser.

The unit is compact, portable (22”H x 10”W x 19”D, 105 lbs.), quiet and virtually vibration free. It operates on standard 120V power, international voltages are also available. A safety interlock prevents the unit from functioning while the door is open and is the only crusher on the market that allows hard drives to be crushed with carriers still attached.

ISO 14001 Registered, Security Engineered Machinery, “SEM” is a global supplier of information security solutions and the largest producer of data-destruction equipment in the United States and operates a manufacturing and design facility adjacent to its headquarters in Westboro, Massachusetts. SEM’s full-service engineering department designs custom systems, such as high volume centralized security destruction systems with integrated waste briquetting and evacuation systems in use by the Federal Government and commercial entities. SEM’s areas of expertise include the design and production of destruction equipment for any type of data storage media from paper to hard drives to solid state, where data security and end of life measures are essential.