Shoot ‘em up: and other ways to decommission your hard drives

One unlucky NHS trust hit the headlines recently when one of its old hard drives turned up on eBay with sensitive patient details still on it. Security journalist Davey Winder explains the background to the story - and how to stop it happening to you.

Every year, BT’s Security Research Centre, in conjunction with the Forensic Computing Lab at Glamorgan University, conducts a survey to find out how much of a problem the insecure disposal of hard drives really is.

Every year, there are a number of shocking revelations. And the latest survey did not disappoint - unless you happen to be involved with Dudley Group of Hospitals trust.

BT obtained 350 hard drives from sources around the world, 133 of them in the UK, of which 75 were in a working condition. Of those, 62 per cent were found to contain sensitive corporate or personal data. These included a hard drive from Dudley, which turned up on eBay and revealed confidential cancer patient details.

In fairness to the trust, it appears the hard drive belonged to a computer that wasn’t even authorised to be on its network. It’s rather hard to securely decommission something you didn’t know had been commissioned in the first place.

The drive’s failed: its data hasn’t

I know of one IT manager who insists on “mechanically disrupting” hard drives with both barrels of a 12-bore shotgun. This is unlikely to catch on in the NHS.

Decommissioning a hard drive securely - by which I mean getting to the point at which the data on it is erased to the point of being unrecoverable - is not as straightforward as many people think.

Just because a drive has “failed” does not mean that the data on it has disappeared. The old adage that “disks are cheap but data is valuable” should be etched into everybody’s psyche. If a disk fails, or a machine is retired, then you have to think about getting rid of its data in order to prevent the kind of potentially explosive disclosure issues that could arise if it were to fall into the wrong hands.

Shooting’s not good enough for ‘em

I know of one person - who runs the IT department of a publicly quoted company in the finance sector - who used to insist on “mechanically disrupting” old hard drives with both barrels of a 12-bore shotgun.

This is unlikely to become standard practice in the NHS. And it is, in any case, not 100 per cent secure. It is possible to reconstruct data from the disk platters if you have the money, expertise, time and inclination so to do.

I have seen professional data recovery firms legitimately recover data from computers that have been submerged in water for days, incinerated beyond recognition and crushed by concrete. Which is why my finance friend and I now adopt a multi-layered approach to the problem of securely decommissioning hard drives - and so should you.

Encrypt, erase, destroy

There are companies that will granulate a hard drive until it resembles kitty litter, and provide a certificate to prove it.

This means you need to securely erase the data first. Not just to delete files and not just to format the drive, either. Both of these leave the actual data intact, merely marking the space as available for reuse.

Even if some of the data is overwritten it is remarkably easy to reconstruct confidential files using readily available forensic software. (For the techies out there, this opens the logical path where the deleted files used to be and then uncovers the disk sectors where the data still resides, and can be achieved simply by searching for some common words within a text string).

So what are your options when it comes to securely decommissioning hard drives?

Anticipate accidental decommissioning.
Encrypted data is not accessible by any Tom, Dick or Harriet who buys a second-hand drive. Users of Windows XP and Windows Vista should therefore encrypt drives using the built-in tools as a first line of data defence against “accidental” decommissioning such as the theft of a PC.

Erase instead of delete.
By using a secure erasure application you can overwrite your unwanted data with random streams of new data, multiple times. The more of your original data that has been overwritten, the less chance there is of recovering usable data.

The UK government insists on three passes of random data overwriting before disposal, but software is readily available that uses the “Gutmann 35 pass” methodology for real security. And yes, that means 35 overwrites. Remember, the safe disposal of sensitive information is a requirement under the Data Protection Act.

Destroy and recycle.
Some disposal companies will use a degausser machine to bombard hard drives with electromagnetic frequencies and effectively scramble all the magnetic particles of the disk platter, destroying any data in the process. Just how secure this is depends upon the machinery used, as there is a fine balance between destroying the data and destroying the drive as well.

Destroy instead of recycle.
It might not be environmentally friendly, but hard drives can be removed from computers before recycling and physically destroyed (following data wiping) to ensure 100 per cent secure decommissioning. There are companies which will granulate a drive until it resembles kitty litter, and provide a certificate to prove it.

Although it is tempting to take the recycling option (making you feel environmentally friendly and possibly a couple of quid too), is it really worth risking confidential patient data for such a small bounty?

The Dudley story is particularly unfortunate, as clearly the trust had no knowledge of the drive’s appearance on a website in the first place. But you are responsible for data that is within your own IT portfolio. Get the sledgehammer, mangle or anything else to hand, but don’t let your hard drives pop up on eBay.

About the author:

Davey Winder is a former security journalist of the year with BT. He is a regular on the NHS Resource Centre, where he writes the monthly “Sidewinder” column.