Slashdot Mirror
Using Encryption Garners Exemption For Data Breach Notification
Combat Wombat writes with this excerpt from the Register: "New data breach rules for US healthcare providers have come under criticism from a security firm that specialises in encryption. As part of the Health Information Technology for Economic and Clinical Health (HITECH) Act, which comes into effect from 23 September, health organisations in the US that use encryption will no longer be obliged to notify clients of breaches."
If the provider uses rot13, they can consider that good enough
So all they have to do is 'encrypt' it? XOR here we come!
Seriously - is there any guide to what TYPES of encryption are covered under this? Otherwise its inane.
Now, can someone direct me to a site showing how to setup this Encryption Garner Exemption software so that it will notify people of data breaches?
/. to hire an editor?
Or do we just need
Once again we see an example of public policy on technology being made with apparently little knowledge or regard for technology. The word "encryption" guarantees nothing. Suppose we just use Pig Latin? Ancay ouyay eadray isthay?
Guess who wrote or helped write the law...
Those who would have to follow the law and regulations. That's a problem with regulations, the industry that is regulated writes those regulations. Which then helps cut their competition.
Falcon
Should there be a Law?
whether it's encrypted or not. With encryption it is (in principle) harder. The weakest link is usually not the computer engineering but social engineering anyway.
The only possible interpretation of any research whatever in the 'social sciences' is: some do, some don't
If you wear your seatbelt, you don't have to buy auto-insurance, or report a crash you are involved with.
Because if everyone was wearing their seatbelt, it's impossible for anyone to have gotten hurt.
Basically the same logic behind not reporting a data breach, if encryption was used.
*Not even considering how secure the keys are, and whether the intruder might be able to have gotten some usable data.
Businesses that use encryption for communications rarely encrypt everything.
The method of encryption is defined in the law, adopts the standards set forth by the NIST, and there is a mechanism to update what is acceptable annually through published Guidances. This law is an improvement over what was previously in place. Read the HIPAA Security and Privacy rules as last updated in 2005, and then look at the major steps forward HITECH makes.
That future Guidances can update standards without having to send a law through Congress is also going to allow for future improvements in security, too. HITECH was part of the economic recovery act (ARRA), which shows how difficult it was for HIPAA to get updates - this had to be tacked onto an unrelated must-pass bill.
This article is from an encryption vendor who is stating that most encryption products are what he calls "point-to-point" encryption I bet he considers his own product to not be, thus it is superior, and thus HIPAA should require all companies to buy his products.
For those of you who think "encryption" is left up to the governed:
The HHS Guidance identifies four situations where paper or electronic data may be vulnerable to a breach, and suggests appropriate safeguards to secure the PHI:
- "Data at Rest". This is data that resides in databases, file systems, and other structured storage methods. The HHS Guidance points to the National Institute of Standards and Technology Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices as the approved methodology.
- "Data in Motion". This is data that is moving through a network, including wireless transmission. The HHS Guidance points to specific requirements in Federal Information Processing Standards (FIPS) 140-2 which include, as appropriate, standards described in NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800-77, Guide to IPsec VPNs; or 800-113, Guide to SSL VPNs, and may include others which are FIPS 140-2 validated.
- "Data Disposed". This is discarded paper records or recycled electronic media. The electronic media must have been cleared, purged, or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization, such that the PHI cannot be retrieved. For discarded paper records, PHI would need to be shredded or destroyed in a manner that precludes reconstruction.
- "Data in Useâ. This is data in the process of being created, retrieved, updated or deleted. The encryption and destruction processes described above, along with the general HIPAA safeguards, will apply to all data in use.
The actual document is here:
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/federalregisterbreachrfi.pdf
I started to post several derogatory comments as I read through it but eventually I came to the conclusion that while nearly unfathomable to most readers it doesn't completely suck.
In several cases they specifically ask for comment from the public where they think there may be valid concern and I think they accurately identified the weak links where they requested comment. If you have an opinion you might consider posting it there rather than (or in addition to) here.
They do actually address reporting breaches of encrypted data where that encryption could arguably have been broken or circumvented.
I don't quite understand the logic of not simply reporting any breach but it's hardly the disaster it's being made out to be.
I know everyone is thinking it so i'll just put it out there.
I want to be the guy that gets paid to make cool acronyms for the government. ARTEMIS and ATLAS could have been my words! EYE WIL GETT this JOB if it's the LAST thing EYE DO (I believe that had something to do with NASA...).
Having just read through the document and as some other folks have posted further down it's not nearly as bad as you're implying and is *less* friendly to health agencies where reporting rules are concerned.
It's certainly written in typical bureaucrat/lawyer speak but for individuals it's a clear improvement over the current state of affairs.
In terms of the form of these documents, I wonder if an collaborative re-write type project would fly. Get volunteers to re-write the document such that the intent and legality doesn't change but the readability is greatly increased. I noted several times where the general ordering of the document was not terribly linear, they repeated themselves or used very confusing sentence structure.
1) I really doubt that they were running out and telling everyone of their breaches in the first place. Unless a corporation has a gun to its head they tell the public nothing. Not that I really blame them, it's not exactly profitable to announce such things.
2) Anyone who has worked in industries where encryption is "required" laughs scornfully at press releases like these. We'll see a rush of bandaid solutions to meet the mere minimum then, over time (say one year), even that minimum will be forgotten.
3) I would like to see a penalty that says something like "Any healthcare provider that has claimed HITECH status that is then subsequently breached AND the breach reveals lack of encryption pays X amount of dollars per account fine."
Never go to sea with two chronometers; take one or three.
I'll admit I only scanned TFA, but it seems to me that the situation is this: If they use encryption, companies that failed to protect their data banks don't have to notify those most intimately concerned that the data has been illegally accessed. At the same time, the people who would steal data AND break the encryption are those who have a real intention of using it. It's a safe bet that the use they have in mind is not one the people most directly concerned would approve of.
So under this system, the breaches most likely to cause real harm to people whose personal information has been compromised are precisely the ones that will go unreported.
I know I could have explained this better, but I'm in a hurry. Basically, if you've been told somebody got into a data bank and accessed your personal info, you can pay special attention to whatever is vulnerable. Usually nothing nasty will happen, but at least you're aware of the circumstances. If you aren't aware of the situation, though, you won't be particularly alert. And that will be exactly when you most need to be on guard against the most dangerous kind of data pirate...one who is willing to jump through BOTH metaphorical hoops: initial hack AND decryption.
I've calculated my velocity with such exquisite precision that I have no idea where I am.
"I noted several times where the general ordering of the document was not terribly linear, they repeated themselves or used very confusing sentence structure."
Psst! Excuse me, Mr. Belthize? Please, trade me papers. You've got the encrypted copy, and that's "Top Sekritz". Thank you sir!!
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
The only provable encryption scheme OTP works with XOR. The only drawback is the key length.
Which is why you use a pseudorandom number generator to make a message-specific key stream as long as the message. As long as you never reuse a key, and your PRNG doesn't suck, you have what they call a synchronous stream cipher. An example of a well-known stream cipher is RC4 from RSA Security. Another is any block cipher in counter mode.
I work in IT in a rural hospital. Right now our s/w vendor doesn't even recommend data encryption. We can't proceed until they give the go-ahead.
And, btw, I don't hear any of you posters whining about the cost of healthcare. This is just another cost added to the cost of healthcare. (How many of you are aware that in the US, Medicare only pays approximately 85% of the COST; Medicaid in some states only pays 55% of the COST.)
Now we have to have breach reports, HIPAA committees, audits, etc. $$$$
This is not to say I disagree with protecting the data. We have a zero tolerance policy for that data. I've had to disable an account for more than 1 nurse that opened their mouth and said something they shouldn't have.
You think this stuff (encryption, f/walls, etc) comes cheap? And don't talk open source. We have to use Windows on the desktops. The HIS s/w won't work on Ubuntu or any other flavor of *nix. I know, I've tried to make it work. Replacing the HIS s/w is out of the question. $5 million at the minimum plus all the training.
I'm not ranting or criticizing the posts or posters. I'm just trying to make people understand that not all hospitals are UPMC, Mayo or Johns Hopkins with money everywhere. In fact, many hospitals (non-profits, I'm referring to) don't make enough money on providing healthcare. They make it on short-term investments in the stock market. (And, yes, our hospital just laid off 11 people due to poor market performance and people holding off on elective surgery.)
I agree, though, that major targets such as a hospital that caters to Hollywood stars or other VIP's should do more.
Cut wages? You really want a nurse who's making minimum + $1 per hour taking care of you?
No, I don't have an answer to the problem either. If you think a single-payer, aka government healthcare, would work think of the thousands of jobs that will be lost (insurance companies, accouting firms, ancillary services) when the gov. takes over.
And message integrity. Since an MITM attacker can just xor his own fraudtext over the ciphertext.
The two drawbacks are key length and message integrity...
Can you be Even More Awesome?!
It's certainly written in typical bureaucrat/lawyer speak but for individuals it's a clear improvement over the current state of affairs.
And guess who's bureaucrats and lawyers were involved. I would think the average or typical person could sit down and think, heck think while walking, that any breach of privacy by any entity would be liable for damages financial or otherwise caused by that breach as well as an amount X paid to those who suffered because of it. The disagreement I see is the amount of X.
Falcon
Should there be a Law?
I seem to recall a case from the UK, where two CDs filled with tax information from about 10 million people were left on a train or bus.
Thankfully all the data on the CDs was encrypted.
Typically the password(s) were written on the CDs.
So, no, encryption does nothing but add a layer of security theatre for data breaches. Notification should still be required.
Add the following requirements:
Probably a few more requirements as well. That way those who really want to know can be told, and those who don't care will just throw the letter away anyway.
Also add very very steep fines for not disclosing data breaches. If the chance of it being known that a breach has occurred are 1%, make the fines 200x the cost of notification and expected loss of business. Hell, add mandatory non-suspendable jail time for the responsible managers (including board members).
Seems like the majority of the comments here deride this as a bad idea. But many (most?) of these same people rely on SSL and SSH to encrypt data, and purposefully send it out over a very public network, trusting the power of the encryption to protect them.
Logically, how is this really any different?
We've been using this technique for a long time, now. Our client-based application uses strong encryption to protect the files. Our encryption/decryption system embeds the password in as part of the encryption/decryption process. This means that if the laptop is ever stolen or lost, it does not constitute a compromise or leak of data.
Sure, it's possible that somebody could crack the encryption. But we use very standard, very trusted libraries and best practices. And even if it isn't bullet-proof, it's far, far better than no protection at all. And certainly, we aren't disclosing our encryption key in javascript!
I have no problem with your religion until you decide it's reason to deprive others of the truth.
"More specifically (as explained here - PDF) only HIPAA-covered healthcare providers and health plans that omit the use of encryption or information destruction will be obliged to notify individuals about a breach of their personal health information."
I work for one of THE largest health insurance companies and I can say HIPPA is a FEDERAL law you don't have HIPPA covered and not HIPPA covered. If a provider is NOT abiding under HIPPA they are breaking the law. So in all actuality it will be anyone not employing encryption. The way my company is "applying" encryption is using whole disk encrytion on all servers, desktops and laptops. Granted it's not as good as they say it is. Anyone with Linux could mount the darn drivess and extract everything off of it. Please these comercial disk encrytpion schemes are more for peace of mind than actual protection. So really your personal health information is not safe if stored electronically. It's actually safer stored on paper and locked in filing cabinets behind locked doors in a locked office. Basically they are giving free rides to health folks if the data gets stolen. You hear more about electronic data theft than actual physical data theft. When is the last time you heard on the news about someone breaking into someplace and stealing thousands of files from a health insurance company or a provider, or even credit card companies?
The Truth is a Virus!!!