Using Encryption Garners Exemption For Data Breach Notification

Combat Wombat writes with this excerpt from the Register: "New data breach rules for US healthcare providers have come under criticism from a security firm that specialises in encryption. As part of the Health Information Technology for Economic and Clinical Health (HITECH) Act, which comes into effect from 23 September, health organisations in the US that use encryption will no longer be obliged to notify clients of breaches."

It's like making the law..

[mysidia]

If you wear your seatbelt, you don't have to buy auto-insurance, or report a crash you are involved with.

Because if everyone was wearing their seatbelt, it's impossible for anyone to have gotten hurt.

Basically the same logic behind not reporting a data breach, if encryption was used.

*Not even considering how secure the keys are, and whether the intruder might be able to have gotten some usable data.

Businesses that use encryption for communications rarely encrypt everything.

Re:The actual document

[fluffy99]

Congratulations, you're one of the few people that read the article or the document itself. My take on this is that if end-end encryption was used, meaning the actual files lost were still securely encrypted and the keys were not compromised, then the data owner does not have to report it as compromised data. Sounds reasonable to me.

The ACT is also a huge motivator for these agencies to implement encryption in a secure manner, thereby avoiding the whole mess that happens every time a laptop gets stolen and they don't know what files were actually on it.

Re:XOR!

[Anonymous Coward]

and I don't either. It's the key management that is the weak point. 10-to-1 the people who claim exemptions under this rule will lose a laptop in the same bag as the usb key that decrypts the whole mess...

Re:XOR!

[c_forq]

There is actually a balance between the two. The Congresscritters need both votes and money to survive, so when an election is near letter writing campaigns can be very effective - it takes more effort to write a letter than most people are willing to put in (it is much easier just to punch the card next to the other guys name) so a letter represents more potential votes than the letter writer alone.

Re:Encryption methodology is defined

[dkf]

when the leak is an employee who has access to ALL of that data in its unencrypted form

Why would the system be giving an employee access to all the data in unsecured form? That'd be a mark of a very badly designed system. But if, "if" mind you, such a breach were to occur, the company wouldn't be eligible for getting out of notification.

Of course, the most likely weak-point is the legitimate end-users and their workstations. They have to have access (it's more important that they save the patient's life than keep their data secure) and you'll never persuade a large proportion of them to have good data hygiene. End users regard security as a bolt-on feature, like a spelling checker or other such; they just don't really value it.

Re:A breach is a breach

[R2.0]

"The weakest link is usually not the computer engineering but social engineering anyway."

And that's why that exception is there - to protect the companies who have poor policies and weak personnel controls. How many doctors are walking around with their passwords on a sticky on the back of their ID badges? And how many even know policies against that exist, much less care about them?

Re:XOR!

[dgatwood]

The keys alone won't do the trick. It's the password written on the Post-it note taped to the palm rest that's the bigger concern....