Slashdot Mirror

← Back to Stories (view on slashdot.org)

Using Encryption Garners Exemption For Data Breach Notification

Posted by timothy on from the keep-your-breeches-on dept.

Combat Wombat writes with this excerpt from the Register: "New data breach rules for US healthcare providers have come under criticism from a security firm that specialises in encryption. As part of the Health Information Technology for Economic and Clinical Health (HITECH) Act, which comes into effect from 23 September, health organisations in the US that use encryption will no longer be obliged to notify clients of breaches."

29 of 101 comments (clear)

  1. great by Savior_on_a_Stick · · Score: 3, Funny

    If the provider uses rot13, they can consider that good enough

    1. Re:great by AliasMarlowe · · Score: 4, Funny

      If the provider uses rot13, they can consider that good enough

      But they're already using rot0. Isn't that good enough?

      --
      Those who can make you believe absurdities can make you commit atrocities. - Voltaire
    2. Re:great by davester666 · · Score: 3, Funny

      It's not rot0, it's rot26. And everybody knows that a higher number means it's better.

      And next year, watch out for my new rot52 encryption method....

      --
      Sleep your way to a whiter smile...date a dentist!
    3. Re:great by furbearntrout · · Score: 3, Informative

      According to the pdf it has to meet FIPS 140-2, and implies ssl/tls level of encryption.
      (IANANES, so I'm not sure just how good that is.)

      I can hear people saying I must be new here but I only skimmed TFA.

      --
      Crap. What did the new CSS do with the "Post anonymously" option??
    4. Re:great by selven · · Score: 2, Funny

      rot1040? Is that what the IRS uses to secure my private data?

  2. XOR! by DarkFencer · · Score: 4, Interesting

    So all they have to do is 'encrypt' it? XOR here we come!

    Seriously - is there any guide to what TYPES of encryption are covered under this? Otherwise its inane.

    1. Re:XOR! by Anonymous Coward · · Score: 2, Informative

      There are guidelines, as promulgated by the FTC / HHS. If anyone feels strongly about this, you should write the agencies to change the regulations.

    2. Re:XOR! by Pieroxy · · Score: 5, Interesting

      In any case, you need a key to decrypt your data. If the guy that broke in got the key along with the data, no amount of cryptography is going to help. Usually, from experience, the key is very often to close to the data.

      In a company I worked for, we had to set up a bridge between two web apps. We chose an SSO-like solution who worked well on the paper, but the devil is on the details. The guys on the other application decided to encrypt the SSO key in JavaScript on the client.... So the key ended up in clear text in the source of the page!

      Oh well....

      --
      Write boring code, not shiny code!
    3. Re:XOR! by Idiomatick · · Score: 3, Funny

      I'd just put a sticker on the computer like this:

      1 -> 0
      0 -> 1

    4. Re:XOR! by selven · · Score: 4, Funny

      I tried that and now my data is all 1s. Thanks a lot!

    5. Re:XOR! by Anonymous Coward · · Score: 4, Insightful

      and I don't either. It's the key management that is the weak point. 10-to-1 the people who claim exemptions under this rule will lose a laptop in the same bag as the usb key that decrypts the whole mess...

    6. Re:XOR! by c_forq · · Score: 3, Insightful

      There is actually a balance between the two. The Congresscritters need both votes and money to survive, so when an election is near letter writing campaigns can be very effective - it takes more effort to write a letter than most people are willing to put in (it is much easier just to punch the card next to the other guys name) so a letter represents more potential votes than the letter writer alone.

      --
      Computers allow humans to make mistakes at the fastest speeds known, with the possible exception of tequila and handguns
    7. Re:XOR! by dgatwood · · Score: 2, Insightful

      The keys alone won't do the trick. It's the password written on the Post-it note taped to the palm rest that's the bigger concern....

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

  3. Who is advising these guys? by electricprof · · Score: 3, Informative

    Once again we see an example of public policy on technology being made with apparently little knowledge or regard for technology. The word "encryption" guarantees nothing. Suppose we just use Pig Latin? Ancay ouyay eadray isthay?

    1. Re:Who is advising these guys? by pushing-robot · · Score: 4, Funny

      No I can't.

      --
      How can I believe you when you tell me what I don't want to hear?
    2. Re:Who is advising these guys? by aethogamous · · Score: 2, Funny

      Once again we see an example of public policy on technology being made with apparently little knowledge or regard for technology.

      Once again we see an example of a comment on slashdot being made with apparently little knowledge or regard for the article.

  4. A breach is a breach by mathfeel · · Score: 2, Informative

    whether it's encrypted or not. With encryption it is (in principle) harder. The weakest link is usually not the computer engineering but social engineering anyway.

    --
    The only possible interpretation of any research whatever in the 'social sciences' is: some do, some don't
    1. Re:A breach is a breach by R2.0 · · Score: 2, Insightful

      "The weakest link is usually not the computer engineering but social engineering anyway."

      And that's why that exception is there - to protect the companies who have poor policies and weak personnel controls. How many doctors are walking around with their passwords on a sticky on the back of their ID badges? And how many even know policies against that exist, much less care about them?

      --
      "As God is my witness, I thought turkeys could fly." A. Carlson
  5. It's like making the law.. by mysidia · · Score: 3, Insightful

    If you wear your seatbelt, you don't have to buy auto-insurance, or report a crash you are involved with.

    Because if everyone was wearing their seatbelt, it's impossible for anyone to have gotten hurt.

    Basically the same logic behind not reporting a data breach, if encryption was used.

    *Not even considering how secure the keys are, and whether the intruder might be able to have gotten some usable data.

    Businesses that use encryption for communications rarely encrypt everything.

  6. Encryption methodology is defined by sthomas · · Score: 5, Informative

    The method of encryption is defined in the law, adopts the standards set forth by the NIST, and there is a mechanism to update what is acceptable annually through published Guidances. This law is an improvement over what was previously in place. Read the HIPAA Security and Privacy rules as last updated in 2005, and then look at the major steps forward HITECH makes.

    That future Guidances can update standards without having to send a law through Congress is also going to allow for future improvements in security, too. HITECH was part of the economic recovery act (ARRA), which shows how difficult it was for HIPAA to get updates - this had to be tacked onto an unrelated must-pass bill.

    This article is from an encryption vendor who is stating that most encryption products are what he calls "point-to-point" encryption I bet he considers his own product to not be, thus it is superior, and thus HIPAA should require all companies to buy his products.

    For those of you who think "encryption" is left up to the governed:

    The HHS Guidance identifies four situations where paper or electronic data may be vulnerable to a breach, and suggests appropriate safeguards to secure the PHI:

                        - "Data at Rest". This is data that resides in databases, file systems, and other structured storage methods. The HHS Guidance points to the National Institute of Standards and Technology Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices as the approved methodology.
                        - "Data in Motion". This is data that is moving through a network, including wireless transmission. The HHS Guidance points to specific requirements in Federal Information Processing Standards (FIPS) 140-2 which include, as appropriate, standards described in NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800-77, Guide to IPsec VPNs; or 800-113, Guide to SSL VPNs, and may include others which are FIPS 140-2 validated.
                        - "Data Disposed". This is discarded paper records or recycled electronic media. The electronic media must have been cleared, purged, or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization, such that the PHI cannot be retrieved. For discarded paper records, PHI would need to be shredded or destroyed in a manner that precludes reconstruction.
                        - "Data in Useâ. This is data in the process of being created, retrieved, updated or deleted. The encryption and destruction processes described above, along with the general HIPAA safeguards, will apply to all data in use.
     

    1. Re:Encryption methodology is defined by sthomas · · Score: 4, Informative

      There's an excellent overview by a law firm here:

      http://www.faegre.com/showarticle.aspx?Show=8969

      "Previously, covered entities were obligated to mitigate harm caused by unauthorized disclosures of protected health information, but not required to give notice to the individuals whose information was inappropriately disclosed. Going forward, covered entities and business associates will be required to notify individuals when security breaches occur with respect to "unsecured" information. Unsecured information means information not protected through technology or methods designated by the federal government. In addition, if the breach involves 500 or more individuals, notice to the federal Department of Health and Human Services and the media is also required."

    2. Re:Encryption methodology is defined by sthomas · · Score: 2, Interesting

      Quit trolling. If the access is to unencrypted data and that data is compromised, notification is required. The exemption for notification is only for "secured" data. Unencrypted data is not "secured"

    3. Re:Encryption methodology is defined by dkf · · Score: 2, Insightful

      when the leak is an employee who has access to ALL of that data in its unencrypted form

      Why would the system be giving an employee access to all the data in unsecured form? That'd be a mark of a very badly designed system. But if, "if" mind you, such a breach were to occur, the company wouldn't be eligible for getting out of notification.

      Of course, the most likely weak-point is the legitimate end-users and their workstations. They have to have access (it's more important that they save the patient's life than keep their data secure) and you'll never persuade a large proportion of them to have good data hygiene. End users regard security as a bolt-on feature, like a spelling checker or other such; they just don't really value it.

      --
      "Little does he know, but there is no 'I' in 'Idiot'!"
  7. The actual document by belthize · · Score: 5, Informative

    The actual document is here:
    http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/federalregisterbreachrfi.pdf

    I started to post several derogatory comments as I read through it but eventually I came to the conclusion that while nearly unfathomable to most readers it doesn't completely suck.

    In several cases they specifically ask for comment from the public where they think there may be valid concern and I think they accurately identified the weak links where they requested comment. If you have an opinion you might consider posting it there rather than (or in addition to) here.

    They do actually address reporting breaches of encrypted data where that encryption could arguably have been broken or circumvented.

    I don't quite understand the logic of not simply reporting any breach but it's hardly the disaster it's being made out to be.

    1. Re:The actual document by fluffy99 · · Score: 5, Insightful

      Congratulations, you're one of the few people that read the article or the document itself. My take on this is that if end-end encryption was used, meaning the actual files lost were still securely encrypted and the keys were not compromised, then the data owner does not have to report it as compromised data. Sounds reasonable to me.

      The ACT is also a huge motivator for these agencies to implement encryption in a secure manner, thereby avoiding the whole mess that happens every time a laptop gets stolen and they don't know what files were actually on it.

  8. Re:Using Encryption Garner Exemption For Data Brea by belthize · · Score: 3, Interesting

    Having just read through the document and as some other folks have posted further down it's not nearly as bad as you're implying and is *less* friendly to health agencies where reporting rules are concerned.

    It's certainly written in typical bureaucrat/lawyer speak but for individuals it's a clear improvement over the current state of affairs.

    In terms of the form of these documents, I wonder if an collaborative re-write type project would fly. Get volunteers to re-write the document such that the intent and legality doesn't change but the readability is greatly increased. I noted several times where the general ordering of the document was not terribly linear, they repeated themselves or used very confusing sentence structure.

  9. Re:Dream job by MurphyZero · · Score: 4, Funny

    I just know I don't want to be in charge of the Fully User Capable Key Encryption Device program.

    --
    Our founding fathers removed the guys in charge. Be American. Vote incumbents out.
  10. RC4 by tepples · · Score: 2, Informative

    The only provable encryption scheme OTP works with XOR. The only drawback is the key length.

    Which is why you use a pseudorandom number generator to make a message-specific key stream as long as the message. As long as you never reuse a key, and your PRNG doesn't suck, you have what they call a synchronous stream cipher. An example of a well-known stream cipher is RC4 from RSA Security. Another is any block cipher in counter mode.

  11. Encryption doesn't help by MartinSchou · · Score: 2, Interesting

    I seem to recall a case from the UK, where two CDs filled with tax information from about 10 million people were left on a train or bus.

    Thankfully all the data on the CDs was encrypted.

    Typically the password(s) were written on the CDs.

    So, no, encryption does nothing but add a layer of security theatre for data breaches. Notification should still be required.

    Add the following requirements:

    • What was copied
    • How was it copied (i.e. CDs forgotten on a bus, laptop stolen, physical entry onto facilities, remote access etc.)
    • How was the data protected (i.e. not at all, encrypted etc.)
    • How effective is the chosen encryption (i.e. not at all, 40 bit DES, 4096 bit Blowfish etc.)
    • Were the passwords compromised as well (i.e. yes it was on the CD, possibly, no etc.)
    • What measures are being taken to prevent this happening again (i.e. nothing, passwords won't be shipped along with data, better security against remote access, fired the responsible manager etc.)

    Probably a few more requirements as well. That way those who really want to know can be told, and those who don't care will just throw the letter away anyway.

    Also add very very steep fines for not disclosing data breaches. If the chance of it being known that a breach has occurred are 1%, make the fines 200x the cost of notification and expected loss of business. Hell, add mandatory non-suspendable jail time for the responsible managers (including board members).