Don’t throw out your PCs without scrubbing them first
By Rick Lehtinen

Is the computer your office manager uses an old, sluggish, battle-scarred veteran? Can your front-desk CA water the flowers in the time it takes to print an invoice? Or does your computer pop pop-up ads like a toaster spitting bagels, reducing work time to the intervals between infomercials and animated ads?

A quick solution to any of these problems is to invest in a new computer. With more than 130 million computers being built each year, costs are coming down. Investing in new hardware may be more cost efficient than spending hours trying to root out offending codes and build firewalls.

Buying a new computer is the easy part. The hard part is deciding how to dispose of those old computers. Some options:

• Sell them. Some people sell their computers, even if that means getting a few dollars for them at a garage sale.

• Give them away. Other people give them to churches, schools, or other nonprofit organizations. The gift usually qualifies as a tax deduction.

• Toss them. Some people sever emotional ties to their computers and pitch them into the dumpster.

But beware: If you follow any of these courses without taking precautions, you are at risk for a HIPAA violation.

In fact, even if you erase the data, reformat your hard drive, and install a new operating system and software before you dump your machine, you could land afoul. That is because a hacker with a little knowledge of computer forensics and some free Internet tools could still present you with a dossier of more of your patient information than you would ever want to leave your office.

To demonstrate the ease of recovering data, one researcher bought several old drives on e-Bay, and without too much effort was able to recover potentially damaging information from most of them.

HOW COULD THAT HAPPEN?

A computer writes data to the hard drive much like an old-fashioned reel-to-reel audio recorder: In the tape recorder, a magnetic head disturbs the magnetic domains on the thin layer of metallic oxide attached to the moving tape, in time with the music. Changing to play mode allows the head to listen to previously recorded tracks and reproduce the sound.

In a PC hard drive, the “tape” is several very highly polished disks that spin at up to 10,000 rpm, while the heads, also moving, dash about in the narrow space between them.

The metals and motors of a tape drive have changed very little over the years, but the electronics have changed a lot. This is why a modern hard drive can store hundreds of gigabytes of information in the same physical space and at lower cost than earlier drives that could store only a few hundred megabytes.

Sophistication in electronics not only means better storage capacity; it also means better data recovery — including data that is not supposed to be there anymore. The traditional “erase and rewrite” may have once served a secretive president, but it does not secure a computer today.

The average hard drive has an alarming amount of space available between tracks. Just like the space between rows in a garden, this space is needed to separate one track of data from the next.

However, it can still hold old data. Partitioning (the process of platting out the space on your hard drive) and formatting (which is akin to raking the drive into rows) may prepare for the recording of new data, but do not necessarily delete old data that resides between the rows, any more than forming the garden soil into rows eliminates weeds.

A big culprit is slack space — unused chunks of the recorded media. Computers store data like post offices store mail in postal boxes. Each box is of uniform size and depth. Whether you receive many letters or few, empty space remains. If you assume that it is occupied by the ghosts of postcards past, then you understand how hard drives present data for the taking.

The data-recording process often only fills the box, or in computer parlance, the cluster, part way. What is left unrecorded retains its original data.

And hitting the delete key doesn’t help. When you delete a file, you remove the things that point to it, but you do not actually remove the file. It works this way: If someone removes your name from the directory in the lobby, patients will have a harder time finding your office, but your office is still there with you waiting for the patients to come by. Someone who wants to get deleted records can easily do so. It just takes patience and a few software utilities.

WHAT TO DO?

Obviously, the answer is to retain your old computer — or at least your old hard drives — forever. If this seems impractical, you can always destroy the old hard drive with fire and then break it with a hammer. (No fooling. These are industry recommendations for destroying drives that once held highly sensitive information).

In reality, a hacker with an electron microscope can get your data, even if you erase and rewrite it dozens of times. The only curative is to reliably write and erase every portion of a hard drive, many, many times. (Some experts say seven times, but go long.)

Unfortunately, that can be tricky if you are not careful, because every bit of the drive would include the portions occupied by the operating system, and that is what is needed to make the computer do the reading and the writing.

The answer — and this is not to be fully trusted in the case of very sensitive data — is to use a disk-cleaning utility.

Sometimes a disk-cleaning utility is available with the software that comes with a new hard drive; other times it can be downloaded from the Web site of the hard drive manufacturer. (Find out the brand of the drive by removing the computer case. It should be noted on the drive itself.)

Before you run the disk cleaner, transfer all of your data to a new computer. Then turn the disk wiper loose. It works by writing ones and zeros on all portions of the disk, several times, until old data is a distant memory.

The outcome: Your computer will become dumb as a rock.

Another solution: Use a gentler version of a disk cleaner called a disk scrubber or disk wiper.

A disk scrubber acts like a paper shredder for your computer. It goes into every unused space on your disk drive and writes and erases a pattern into it that will mask whatever data was remaining, provided that run the scrubber long enough.

You can obtain disk-scrubber software by doing a search on Google. Type “disk-scrubber software” or “disk wiper” in the search box, and you should find several inexpensive or free ones to meet your needs.

Note: Get one from a reliable source. You do not want to download something that causes more problems than it solves.

Of course, a dedicated searcher (hacker) can probably find what you had for data, but the lucky recipient of your hand-me down computer probably won’t lead you to grief by announcing that found patient records were found on a machine that you donated.

Perhaps most important, you will be able to claim that you acted with due diligence to prevent the loss of patient data.

Cleaning up your old computer can become even more involved, because some operating systems keep snippets of file data for themselves in obscure places in the system. You may wish to consult your own IT specialist for some advanced tips.

By and large, a thorough treatment with a good disk scrubber should allow you to part with an old drive or computer with high assurance that no HIPAA-hungry lawyer will try to take you to the cleaners.

Rick Lehtinen is a computer security consultant to the ChiroCode Institute, www.chirocode.com. He can be contacted by e-mail at rlehtine@hotmail.com