Who's Watching the Back Door?

By: Arleen Chafitz, Owner and CEO, e-End and Steve Chafitz, President, e-End

Ping, ping, ping...

You know what that sound means. It’s a hacker trying to break in through your front door. They want to reach your network, which is securing valuable data. So how do you stop them? You spend thousands of dollars, maybe more, to create a fortress-like defense to prevent the criminals from crashing the front gates -- and gaining access to the keys of the castle.

Whatever definition you use for “cybersecurity,” the common denominator is to implement policies and procedures for protecting networks, computers, and data from an attack and ultimately prevent costly data breaches.

While the major focus of cybersecurity is keeping the front door impenetrable from global criminal activities, according to the 2014 Bitglass Healthcare Breach Report, 68% of breaches originate from the inside.1 Part of this epidemic is from a significant amount of data-rich electronic equipment and devices going out the back door.

Hard Drives To Be Sanitized
Hard Drives To Be Sanitized

End-of-Life Vulnerability

When data-containing equipment reaches its “end-of-life” stage and is taken out of service, the high level of front door security it was previously given may be totally ignored. Along with servers and PCs, items such as copy machines, printers, medical equipment, cell phones, phone systems, and a variety of other devices have hard drives or other storage media in them that retain data.

Visit any company or government agency and you’ll find this data-filled equipment stored unsecured in hallways, storage rooms, and offices. Even when the hard drives are removed from this equipment, the media can still end up on bookshelves or in boxes in the IT department waiting to be sanitized.

By not placing enough emphasis on the proper handling of data from end-of-life equipment, your IT department may leave hard drives untouched for weeks or months waiting for someone to destroy the data. Sanitization is not their priority, plus it’s time taken away from other important tasks. It can take three hours or longer to sanitize a single hard drive. Think about the 600 man-hours, or more, if there were 200 drives.

In addition to an IT department not being able to “self-certify” their own work, data sanitization experts will tell you that reformatting, deleting, or even drilling holes in hard drives doesn't destroy data beyond all methods of forensic reconstruction. With the proper equipment, complete data destruction is accomplished following basic guidelines in the National Institute of Standards and Technology (NIST)’s 800-88R1 Publication.2

Unfortunately, too many businesses and agencies look at old equipment as “cash in the pocket.” They’ll sell equipment online or at auction, or even donate it for a tax deduction. With some of this equipment still retaining data, confidential information may wind up going to the highest bidder.

By creating vulnerability for a data breach, your operation may be in violation of one of the numerous federal regulations for safeguarding personally identifiable information (PII) and other confidential information. While most people have heard of HIPAA, the acronym maze of regulations you must become familiar with includes SOX, GLB, FACTA, COPA,and FISMA.

Are You Ready to Pay the Fines?

Not implementing the required safeguards can not only allow a costly data breach, but can have a direct impact on your bottom line. Blue Cross/Blue Shield of Tennessee was fined $1.5 million when 57 unencrypted hard drives were stolen from a storage closet. In all, their total cost for remediation was over $18 million.

A data breach can cost US organizations an average of $5.9 million and for HIPAA violations up to a maximum of 10 years in prison. Medical records are among the most sought-after prizes for data thieves. According to the Bitglass Report, credit card records have a black market value of $1.00 each, and medical records go for $50.00 each.3 For GLB there are also severe penalties for non-compliance: imprisonment for up to 5 years, steep fines, or both. A financial institution can be fined up to $100,000 for each violation; officers and directors can be fined up to $10,000 for each violation.

If you think just because you’re not a healthcare provider that HIPAA doesn’t apply to you, think again: some large companies and other entities fall under HIPAA data security guidelines. Under the HITECH Act, HIPAA enforcement has increased and now the Attorney General (AG) of each state is authorized to enforce HIPAA violations. Many AGs have gotten their states millions of dollars by successfully imposing fines for data breaches.

By using HIPAA requirements as a guide, no matter what your business is, odds are you will remain in compliance for protecting PII. The HIPAA physical safeguard requirement is very simple – “Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.”4

It’s a familiar sight: unused equipment sitting in an unsecured room.
It’s a familiar sight: unused equipment sitting in an unsecured room.

So how do you start to become compliant in protecting data on end-of-life equipment?

  • Create written policies and procedures for isolating and securing old electronic equipment. Conduct spotchecks to ensure they are being followed.
  • Designate someone responsible for inspecting all equipment for data.
  • Secure a NAID AAA-certified vendor who specializes in data sanitization following NIST 800-88R1 and NSA guidelines and can provide a Certificate of Data Sanitization.
  • Perform strict due diligence in selecting any vendor – since you generated the data, you are still responsible for safeguarding it.
  • Enter into a Business Associate Agreement (BAA).
  • Consider “Data Breach Insurance” (a.k.a Cyber Liability Insurance).
  • Ensure proper recycling of equipment by securing a vendor who is R2:2013 or e-Stewards certified.

Now is the time to act. Every moment you wait could lead to the next big data breach, doing your company irreparable harm. Certified data destruction is not only a precaution, it’s a responsibility. Make it your priority.

Click Here to download a PDF copy of this article

About the Authors

Arleen Chafitz is the owner and CEO of e-End, a Certified Woman Owned Small Business. Arleen began e-End in 2006 with the goal of keeping old electronics out of landfills by proper recycling. As more equipment began retaining data she shifted her focus to data sanitization and preventing data breaches. Arleen has been an entrepreneur for over 40 years and has successfully operated various businesses. She can be reached at: arleen@eendusa.com

Steve Chafitz is President of e-End and is a subject matter expert on sanitizing electronic media and the recycling of electronics. He has briefed a variety of agencies and companies on data sanitization procedures and spoken at numerous cybersecurity conferences as well as hosting webinars on protecting data on end-of-life equipment. He can be reached at: steve@eendusa.com

This article originally appeared in the Spring, 2015 issue of United States Cybersecurity Magazine, which is published quarterly to help raise the level of awareness of the ever-increasing amount of Cyber crimes taking place right here in the United States of America and how to defend against these crimes through prevention and protection strategies.

To learn more about a subscription, visit https://www.uscybersecurity.net/subscribe.

Sources 1 Bitglass, Inc.: “The 2014 Bitglass Healthcare Breach Report.” Nov. 4, 2014: p.2. <http://pages.bitglass.com/pr-2014-healthcare-breach-report.html>2 Kissel, Regenscheid, Scholl, Stine: United States Department of Commerce. National Institute of Standards and Technology. “NIST Special Publication 800-88 Revision 1: Guidelines for Media Sanitization.” December 2014. <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf>3 Bitglass 54 United States Department of Health and Human Services: HIPAA Physical Safeguards-DISPOSAL (R) - § 164.310 (d)(2)(i)