The Tech Doctor: Are Your Discarded PCs Really Clean?

April 1, 2008

Before you turn over your old computer to your nephew, sister-in-law, or church group, make sure there isn’t private information still lurking inside. It’s not as simple as hitting the delete button.


It’s inevitable. You purchase new PCs for your practice, and an employee approaches you with the question: “What are we doing with our old computers? My sister/cousin/neighbor/church could really use one, and if you’re just going to throw them out … (insert guilt here).”

I’ve heard every variant of this question - posed by CEOs to receptionists alike - each looking to obtain a used PC for their son, daughter, church, charity, home office, or use it as a component for their home stereo system (really).

Before the Good Samaritan in you hands one of your replaced PCs over, there are a few things you may want to take into account before proceeding with this act of kindness. After all, no good (technology) deed goes unpunished.

“But I pressed ‘delete’…”

We’ve all seen TV crime dramas in which a tech-savvy criminal is tracked down by a team of experts who study data from his home PC - usually information he thought he’d erased. Data recovery is not just the stuff of television. When you hit the delete key, it rarely means that the file is gone forever. Often a remnant image of the file still exists on your computer’s hard drive. In most cases, deleting a file essentially tells your computer that new disk space is available for rewriting with new data … but the old data still exists until your computer writes over that available space.

Imagine making all your offices’ files - and the personnel files of all your employees, including you - available to a complete stranger. Besides your practice’s sensitive financial information, some of those PCs may contain your entire patient base’s healthcare records, and perhaps their Social Security and credit card numbers as well. Such protected health information (PHI) is covered under HIPAA, which defines it as any “individually identifiable health information.”

Could you sleep at night knowing that one of your transcriptionist’s old PCs may be in the hands of a tech-savvy college student?

Inexpensive data recovery tools can be easily and inexpensively downloaded from the Internet. What if that same college student’s roommate resurrected some of your “deleted” transcription files? Is the gift worth the risk? What if that student starts printing out recovered radiology reports, medication lists, or workman’s comp visit notes? Do your donated PCs contain employee payroll files, physician credentialing applications, or even images from your personal digital camera? Many PCs also retain lists of Web sites you or your employees have visited as well as images from those sites. Are you nervously recounting in your head where those retired office PCs you gave away last year may be sitting this very moment?

Now that you’ve been incited to be prudently paranoid, what steps can you take to avoid these scenarios?

Purchase peace of mind

You’ll be happy to hear that there’s an entire IT market segment waiting to come to your rescue.

If you are uncomfortable or unskilled with PCs or don’t have access to professional IT experts on your staff, you have a couple of choices: You can retain someone who can scrub data from your old disk drives or you can purchase “disk sanitization” or “disk wiping” software, typically reasonably priced and relatively easy to use.

One of the most-often referenced industry benchmarks for these drive sanitization software tools is the U.S. Department of Defense (DoD) rules for wiping hard drives clean. Most vendors selling third-party software for drive sanitization will cite their level of compliance with respect to the strict rules defined by the DoD for disk drive wiping.

With this in mind, you can select simple and affordable software that can give you the peace of mind that comes with knowing that you’ve significantly lowered the likelihood of ever having any data recovered from your old drives. And your hand-me-down PCs will still be useable by the lucky people who receive them.

Of course, if you are uncomfortable doing the job yourself, you can hire an expert to do it for you. The money you pay up front to have your PCs certified as clean is infinitesimal relative to your potential liability if your sensitive data makes it out of your practice and into the wrong hands.


Jonathan McCallister has worked in healthcare IT management for more than eight years and in general IT management for more than a decade. He can be reached via bgabriel@physicianspractice.com.

This article originally appeared in the April 2008 issue of Physicians Practice.