Actually it might not be all F.U.D (Fear uncertainity and Doubt)
See below: http://www.darkreading.com/database_security/security/privacy/showArticl e.jhtml?articleID=224600001 This goes to the heart of some of the required controls in HIPAA, and defintely should be covered under the new HITECH provisions. HIPAA standard Device and Media Control (164.310(d)(2)(ii)). What the issue is, whether PII/PHI could be obtained from the harddrive accordingly. If so, and the organization did not wipe the drives ( forensically sound manner or Physical destruction are the only two methods that will stand up) then there probably could have been a data breach and therefore follows breach notification laws, and provisions within HITECH along with federal/state guidelines. These type of situations are only going to get worse, what about the medical imaging devices from healthcare vendors, to vendor MRI/CT Scans, etc etc, where are the images stored ( local or remote, is the internal memory/storage wiped clear after each use or is there data remenance on the systems, which could be obtained if the device left the site for repair/replacement) Just food for thought, Z Edward Ziots CISSP,MCSA,MCP+I,Security +,Network +,CCA Network Engineer Lifespan Organization 401-639-3505 [email protected] From: Mike Gill [mailto:[email protected]] Sent: Friday, April 23, 2010 1:32 PM To: NT System Admin Issues Subject: RE: Copier Hard Drives and sensitive data? These guys found information. Lots of it. I'd say that's FUD alright but not the way you're referring. The Xerox text you pasted is nice and all but has no bearing on what the office staff will do when they get rid of an old copier. Who cares if there is a feature to wipe the disk if it's never used? Who cares if there is a program to buy the hard drive from the unit if it's never purchased, let alone that most people don't even grasp the contents of storage in one of these devices. And what if they don't have a Xerox? I have received temp units in offices I service when the leased unit had to go into the shop for a major repair. Every temp unit I have seen had documents stored in the device from the previous offices. If you have MFP's, you better look up how to have the device properly reset/formatted/whatever if you have sensitive info that's been run through it when they're replaced. Stored jobs, scan-to & document server capabilities are features many units have. -- Mike Gill From: David Mazzaccaro [mailto:[email protected]] Sent: Friday, April 23, 2010 7:50 AM To: NT System Admin Issues Subject: RE: Copier Hard Drives and sensitive data? This article is full of FUD. Read the comments... Here's the link.. it was CBS... http://www.cbsnews.com/stories/2010/04/19/eveningnews/main6412439.shtml <http://www.cbsnews.com/stories/2010/04/19/eveningnews/main6412439.shtml > ________________________________ From: David McSpadden [mailto:[email protected]] Sent: Friday, April 23, 2010 10:47 AM To: NT System Admin Issues Subject: Copier Hard Drives and sensitive data? Operations Officer comes to me this morning and asks if we wipe our copiers clean before we give them away or throw them away. I say we clean everything before we ever let it go out of our department but why are you asking about copiers. He proceeds to tell me about a 20/20 or 60 minutes spot where some person but 5 copiers and got all kinds of personal info from police departments and what not's because copiers have hard drives in them and they retain everything that is copied to them over time. So, is this true? If so is there a way to 'clean' them before reselling them or trashing them and still keeping them functional? . ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
