Using Encryption Garners Exemption For Data Breach Notification

Combat Wombat writes with this excerpt from the Register: "New data breach rules for US healthcare providers have come under criticism from a security firm that specialises in encryption. As part of the Health Information Technology for Economic and Clinical Health (HITECH) Act, which comes into effect from 23 September, health organisations in the US that use encryption will no longer be obliged to notify clients of breaches."

XOR!

[DarkFencer]

So all they have to do is 'encrypt' it? XOR here we come!

Seriously - is there any guide to what TYPES of encryption are covered under this? Otherwise its inane.

Re:XOR!

[Pieroxy]

In any case, you need a key to decrypt your data. If the guy that broke in got the key along with the data, no amount of cryptography is going to help. Usually, from experience, the key is very often to close to the data.

In a company I worked for, we had to set up a bridge between two web apps. We chose an SSO-like solution who worked well on the paper, but the devil is on the details. The guys on the other application decided to encrypt the SSO key in JavaScript on the client.... So the key ended up in clear text in the source of the page!

Oh well....

Re:Using Encryption Garner Exemption For Data Brea

[belthize]

Having just read through the document and as some other folks have posted further down it's not nearly as bad as you're implying and is *less* friendly to health agencies where reporting rules are concerned.

It's certainly written in typical bureaucrat/lawyer speak but for individuals it's a clear improvement over the current state of affairs.

In terms of the form of these documents, I wonder if an collaborative re-write type project would fly. Get volunteers to re-write the document such that the intent and legality doesn't change but the readability is greatly increased. I noted several times where the general ordering of the document was not terribly linear, they repeated themselves or used very confusing sentence structure.

Re:Encryption methodology is defined

[sthomas]

Quit trolling. If the access is to unencrypted data and that data is compromised, notification is required. The exemption for notification is only for "secured" data. Unencrypted data is not "secured"

Encryption doesn't help

[MartinSchou]

I seem to recall a case from the UK, where two CDs filled with tax information from about 10 million people were left on a train or bus.

Thankfully all the data on the CDs was encrypted.

Typically the password(s) were written on the CDs.

So, no, encryption does nothing but add a layer of security theatre for data breaches. Notification should still be required.

Add the following requirements:

• What was copied
• How was it copied (i.e. CDs forgotten on a bus, laptop stolen, physical entry onto facilities, remote access etc.)
• How was the data protected (i.e. not at all, encrypted etc.)
• How effective is the chosen encryption (i.e. not at all, 40 bit DES, 4096 bit Blowfish etc.)
• Were the passwords compromised as well (i.e. yes it was on the CD, possibly, no etc.)
• What measures are being taken to prevent this happening again (i.e. nothing, passwords won't be shipped along with data, better security against remote access, fired the responsible manager etc.)

Probably a few more requirements as well. That way those who really want to know can be told, and those who don't care will just throw the letter away anyway.

Also add very very steep fines for not disclosing data breaches. If the chance of it being known that a breach has occurred are 1%, make the fines 200x the cost of notification and expected loss of business. Hell, add mandatory non-suspendable jail time for the responsible managers (including board members).