Posts

Stimulus Bill significantly modifies HIPAA regulations

Buried within the huge American Recovery and Reinvestment Act (a.k.a, the “Stimulus Bill”) are a few changes to HIPAA’s Privacy and Security Rules, increasing the scope of coverage to include Business Associates. This means data security providers, contractors, and partners can be directly fined for informational security breaches that occur on their watch. The bill also increases the penalties for some of the violations.

Previously, Business Associates were required to comply only with a written business associate agreement. Now Business Associates are subject to many of the same requirements hospitals and medical providers are. They will be required to appoint a security official, develop written policies and procedures pertaining to data leakage, and training its workforce in electronic data protection.

In addition, breach notification requirements were increased. If a breach occurs, the specific business entity that has the breach will be required to notify every individual affected by the security breach. If current contact information is not available, the entity may be required to post notification on their website or in some other broadcast medium (television, newspapers). The bill also provides for the creation of a website by the Health and Human Services department to list information about these breaches.

Source: Stimulus Bill dramatically modifies HIPAA rules

Data Destruction: Is One Pass Overwriting Enough?

There is some controversy regarding data destruction in the IT industry, some vendors claim that no software writing solution is secure, and only firmware level erasing, like Secure Erase, is certifiable. Others go further and say that only physical destruction is enough. The DoD spec calls for either a 3 pass or a 7 pass wipe, and NIST has stated:

Studies have shown that most of today’s media can be effectively cleared by one overwrite.

Popular TV shows like Numb3rs show scientists able to recover data from drives even after they have been wiped. There are probably as many standards to wipe data from hard drives as there are companies providing solutions. When is it enough? EPC as a company has standardized on the 3 pass DoD wipe as it is well recognized in the IT industry and it is a relatively fast process. Read more