Using Encryption Garners Exemption For Data Breach Notification 101
Combat Wombat writes with this excerpt from the Register: "New data breach rules for US healthcare providers have come under criticism from a security firm that specialises in encryption. As part of the Health Information Technology for Economic and Clinical Health (HITECH) Act, which comes into effect from 23 September, health organisations in the US that use encryption will no longer be obliged to notify clients of breaches."
Re:XOR! (Score:2, Informative)
There are guidelines, as promulgated by the FTC / HHS. If anyone feels strongly about this, you should write the agencies to change the regulations.
Who is advising these guys? (Score:3, Informative)
A breach is a breach (Score:3, Informative)
Encryption methodology is defined (Score:5, Informative)
The method of encryption is defined in the law, adopts the standards set forth by the NIST, and there is a mechanism to update what is acceptable annually through published Guidances. This law is an improvement over what was previously in place. Read the HIPAA Security and Privacy rules as last updated in 2005, and then look at the major steps forward HITECH makes.
That future Guidances can update standards without having to send a law through Congress is also going to allow for future improvements in security, too. HITECH was part of the economic recovery act (ARRA), which shows how difficult it was for HIPAA to get updates - this had to be tacked onto an unrelated must-pass bill.
This article is from an encryption vendor who is stating that most encryption products are what he calls "point-to-point" encryption I bet he considers his own product to not be, thus it is superior, and thus HIPAA should require all companies to buy his products.
For those of you who think "encryption" is left up to the governed:
The HHS Guidance identifies four situations where paper or electronic data may be vulnerable to a breach, and suggests appropriate safeguards to secure the PHI:
- "Data at Rest". This is data that resides in databases, file systems, and other structured storage methods. The HHS Guidance points to the National Institute of Standards and Technology Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices as the approved methodology.
- "Data in Motion". This is data that is moving through a network, including wireless transmission. The HHS Guidance points to specific requirements in Federal Information Processing Standards (FIPS) 140-2 which include, as appropriate, standards described in NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800-77, Guide to IPsec VPNs; or 800-113, Guide to SSL VPNs, and may include others which are FIPS 140-2 validated.
- "Data Disposed". This is discarded paper records or recycled electronic media. The electronic media must have been cleared, purged, or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization, such that the PHI cannot be retrieved. For discarded paper records, PHI would need to be shredded or destroyed in a manner that precludes reconstruction.
- "Data in Useâ. This is data in the process of being created, retrieved, updated or deleted. The encryption and destruction processes described above, along with the general HIPAA safeguards, will apply to all data in use.
The actual document (Score:5, Informative)
The actual document is here:
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/federalregisterbreachrfi.pdf [hhs.gov]
I started to post several derogatory comments as I read through it but eventually I came to the conclusion that while nearly unfathomable to most readers it doesn't completely suck.
In several cases they specifically ask for comment from the public where they think there may be valid concern and I think they accurately identified the weak links where they requested comment. If you have an opinion you might consider posting it there rather than (or in addition to) here.
They do actually address reporting breaches of encrypted data where that encryption could arguably have been broken or circumvented.
I don't quite understand the logic of not simply reporting any breach but it's hardly the disaster it's being made out to be.
Re:great (Score:3, Informative)
(IANANES, so I'm not sure just how good that is.)
I can hear people saying I must be new here but I only skimmed TFA.
Re:Encryption methodology is defined (Score:4, Informative)
There's an excellent overview by a law firm here:
http://www.faegre.com/showarticle.aspx?Show=8969
"Previously, covered entities were obligated to mitigate harm caused by unauthorized disclosures of protected health information, but not required to give notice to the individuals whose information was inappropriately disclosed. Going forward, covered entities and business associates will be required to notify individuals when security breaches occur with respect to "unsecured" information. Unsecured information means information not protected through technology or methods designated by the federal government. In addition, if the breach involves 500 or more individuals, notice to the federal Department of Health and Human Services and the media is also required."
RC4 (Score:3, Informative)
The only provable encryption scheme OTP works with XOR. The only drawback is the key length.
Which is why you use a pseudorandom number generator to make a message-specific key stream as long as the message. As long as you never reuse a key, and your PRNG doesn't suck, you have what they call a synchronous stream cipher [wikipedia.org]. An example of a well-known stream cipher is RC4 from RSA Security. Another is any block cipher in counter mode.