I recently got my hands on some old computers from a dental office that I'm planning to resell. The IT company that was responsible for these machines wanted to charge the dental office for data removal, but I jumped in and took them for free instead. While I'm familiar with wiping data using Active@ KillDisk at my job and home, I'm concerned about potentially dealing with HIPAA data here. I've researched this and plan to wipe the SSDs using the NIST 800-88 method with one pass of zeros, and then physically destroy them with a hammer. Is this method sufficient to ensure complete data destruction? I'm aware that HIPAA violations can have serious consequences, so I want to be absolutely sure I'm following the correct process.
3 Answers
The IT company likely charges for a certificate of destruction. You'll need to show the dental office that the drives have been securely wiped or destroyed so they aren't left with any liability issues.
Just to clarify, assuming you're not an employee or connected in any way to that dental office, you're not under HIPAA's jurisdiction. Still, it's best to securely wipe the drives or even destroy them. This would protect you, plus it'd be good practice.
Would I still need to provide proof of the data being erased or destroyed to the dental office?
If KillDisk provides a SATA Secure Erase, that's actually enough for your needs. You don't necessarily have to go the physical destruction route since no regulations are directly applying to you here. Just perform the Secure Erase and install Windows afterward. Trust me, writing zeros to SSDs doesn't actually do anything useful.
I know KillDisk lets you print out documentation showing the drive was wiped. Would that be sufficient, or should I just return the drives to them?