Recycling Medical Computers

garye

New Member
Hi,
I have used Eraser & Dban and like the products very well.

Tomorrow, I am being hired to securely wipe 4 older PCs (Win98) at a doctor's office so they can be given to employees for personal use. The computers may presently contain some sensitive patient information. The customer wishes to leave the os and Office suite intact on the computers for the employees to use. The computers cannot simply be wiped with the Dban method as the original os restore software is lost.

I plan on using one of the following methods, which would be best?

Option1-
1. Install Eraser and securely delete all patient data via DoD 3 pass method.
2. Erase the Recycle Bin & erase unused space on the entire c: drive

Option 2-
1. Do an ordinary deletion of all patient data and empty Recycle Bin
2. Install Eraser & erase unused space on the entire c: drive
Thanks very much for your help!!
Garye
 
I would do option 1, but I would bump it up to gutmann 35 passes, just to make sure all patient data is gone. Option 2 would be faster , but I still prefer option 1. Are you going to do a freespace wipe one after the other or try to get them to freespace wipe at the same time.
 
Hi, I appreciate your help! Unfortunately, I never got your post as I couldn't seem to access the news server for quite a few hours.

Anyway, I wound up going with Option 2. I carefully searched for and deleted all patient data as well as all user created files. I also uninstalled any medically related programs. I then installed Eraser and did a freespace wipe on drive c. It seemed to go pretty well.

I don't quite understand your question about the freespace wipe. Are you asking if I would uncheck the box marked 'Cluster Tip Area' in the category 'Overwrite' when deleting files, and then do a freespace wipe on the entire drive afterwards?

I guess I haven't played with the options enough to fully understand the difference. If you could explain them a bit more, I would really appreciate it! Take care,
Garye
 
a freespace wipe is the same as erasing unused space, it's just another way of describing the same thing.

So long as you are satisfied that there is no personally identifiable data left on the computer then it's OK.

Obviously, I don't know where you live but in the UK (where I live) the person disposing of the computer - the Doctor - would have to ensure that no personally identifiable data remained or he could be prosecuted under Data Protection Acts. Personally I believe that if the Doctor / the office doesn't have the restore disks he should have just wiped the entire hard drive with DBAN and donated the computer for whoever to install their own OS. Who knows where data can be lurking?

But working within the confines of what you have to do (and obviously if the computers are going to employees, they aren't likely to have Win98 disks), maximum data destruction of what you can destroy is necessary. So long as you have erased all the files etc that contain sensitive data then doing a freespace / unused space wipe (with a wipe of cluster tips) should be OK. You may want to defrag the computer after this and do another unused / freespace wipe, to err on the side of caution though.

A secure wipe of personal data (to me) is more than just deleting (to the recycle bin and then delete) patient data - it should have been shredded by eraser, using at least a DoD 3 pass (I always use the DoD 7 pass). Carver recommends the 35 Gutmann pass - that IS secure! Then the freespace should be wiped to a highly secure level (including cluster tips), again I use an 8 pass PRNG method for this if I am deleting highly sensitive data, though for routine freespace wipes I use a 1 pass PRNG. Then defrag the computer then do a thorough wipe again or at least a 1 pass. That should be secure enough!
 
Thanks for your help, Robbie! You have explained things very well. I will certainly include your recommendations in any future work of this type.

Btw, is the PRNG method the same as the pseudorandom method? Thanks again!
Garye
 
garye said:
Thanks for your help, Robbie! You have explained things very well. I will certainly include your recommendations in any future work of this type.

Btw, is the PRNG method the same as the pseudorandom method? Thanks again!
Garye
it is, yeah. Sorry for not making that clear! I think PRNG stands for Pseudo Random Number Generator.

I thought a bit about this after posting - I've not used Windows 98 for a long time and can't remember - does W98 have seperate user profiles, like Windows XP? If it did, it would be so much easier for deleting many files, which would probably be stored in the users own Documents and Setting directory.
 
Windows 98 can use User Profiles but they are not as sophisticated as those used under WinXP. All profiles are stored under %Windir%\Profiles.

On the machines that I wiped, one machine for example, had 5 or 6 users over the life of the machine. Their logon names were all listed in the Profiles folder. Technically, however, there were no separate user profiles as all documents from all users were stored, in this case, under a common My Documents folder.

These machines were all used to access a remote file server which essentially contained all the patient data. However, there were still some sensitive documents which were stored locally on the machines.

I guess I now feel the best options to use in a case like this are (starting from the most desirable and ending with the least desirable):

1. Wipe the entire drive using the Dban disk to do a total wipe. If the machine will be donated and needs to have an os, reload the os from scratch via the system recovery disks.

2. Within the Windows os, install Eraser and securely delete all data via DoD 7 pass method or better. End by doing a freespace wipe of the entire drive.

3. Within Windows os, delete all data in ordinary fashion and empty Recyle Bin. Install Eraser and do a freespace wipe of the entire drive.

Does that sound about right? Thanks again for your help and comments!
Garye
 
yeah, in that order those would be the best options in terms of security. If the OS cannot be wiped and reinstalled, option 2 is the more preferable option that option 3.

I believe that is the option (option 2) used by a local project in my area that redistributes donated computers.
 
Sorry for not offering my opinion, I couldn't seem to access this forums server for two days (or the Heidi website) :x . I agree with Robbie.
 
Thanks Robbie and Carver, I really appreciate your help! I am definitely going to save this thread for future use. I am also going to dig in a bit more on the US's HIPAA regulations for medical privacy. I would like to see if they have any recommendations/requirements for recycling these types of computers. Thanks again!
Garye
 
Thanks Robbie and Carver, I really appreciate your help! I am definitely going to save this thread for future use. I am also going to dig in a bit more on the US's HIPAA regulations for medical privacy. I would like to see if they have any recommendations/requirements for recycling these types of computers. Thanks again!
Garye
 
Back
Top