Forgot your password?
typodupeerror
Privacy Encryption Security United States Government

Using Encryption Garners Exemption For Data Breach Notification 101

Posted by timothy
from the keep-your-breeches-on dept.
Combat Wombat writes with this excerpt from the Register: "New data breach rules for US healthcare providers have come under criticism from a security firm that specialises in encryption. As part of the Health Information Technology for Economic and Clinical Health (HITECH) Act, which comes into effect from 23 September, health organisations in the US that use encryption will no longer be obliged to notify clients of breaches."
This discussion has been archived. No new comments can be posted.

Using Encryption Garners Exemption For Data Breach Notification

Comments Filter:
  • great (Score:4, Funny)

    by Savior_on_a_Stick (971781) <robertfranz@gmail.com> on Saturday September 19, 2009 @06:04PM (#29479151)

    If the provider uses rot13, they can consider that good enough

    • Re:great (Score:5, Funny)

      by AliasMarlowe (1042386) on Saturday September 19, 2009 @06:06PM (#29479165) Journal

      If the provider uses rot13, they can consider that good enough

      But they're already using rot0. Isn't that good enough?

      • Re: (Score:3, Funny)

        by davester666 (731373)

        It's not rot0, it's rot26. And everybody knows that a higher number means it's better.

        And next year, watch out for my new rot52 encryption method....

        • by dazjorz (1312303)
          I heard the new supercomputers at the NSA can already break rot1040.... Oh, technology nowadays! Amazing.
    • Re: (Score:3, Informative)

      According to the pdf it has to meet FIPS 140-2 [wikipedia.org], and implies ssl/tls level of encryption.
      (IANANES, so I'm not sure just how good that is.)

      I can hear people saying I must be new here but I only skimmed TFA.
      • According to the pdf it has to meet FIPS 140-2 [wikipedia.org], and implies ssl/tls level of encryption. (IANANES, so I'm not sure just how good that is.)

        It's pretty good [nist.gov]. It also has requirements for user-level authentication (machine-to-machine is not good enough) and approved key-generation algorithms. It's also actively maintained by people who know what they are doing, which makes it a much better decision than trying to write your own security requirements spec.

        Why that should get you out of reporting data loss is what I don't follow. When it might be someone sniffing the data at your ISP, you need to report it, but when you have a FIPS certificati

        • "Why that should get you out of reporting data loss is what I don't follow."

          Remember yesterday's story about data breach due to an spyware e-mail (http://news.slashdot.org/story/09/09/18/0011218/Spyware-Prank-Exposes-Hospital-Medical-Records)?

          I stated there that "the true point is that Hospitals don't want security [...] Pitifully I won't hold my breath waiting for a multimillion exemplary fine against the hospital so others will take the issue more seriously."

          Well, there you have it. Not only these kinds

        • It's pretty good. It also has requirements for user-level authentication (machine-to-machine is not good enough) and approved key-generation algorithms. It's also actively maintained by people who know what they are doing, which makes it a much better decision than trying to write your own security requirements spec.

          FIPS 140 only covers algorithm and implementation details, and a little bit about key management. There's nothing in there that says you can't use an all-zero key, or prepend the key to the data, or use your company name as the key. So you can still build rot-13 out of FIPS 140-certified products (and I've seen it done on numerous occasions). All this requirement is doing is making it less obvious that something's b0rken.

          • From Section 4.7.2 (Key Generation):

            A cryptographic module may generate cryptographic keys internally. Cryptographic keys generated by the cryptographic module for use by an Approved algorithm or security function shall be generated using an Approved key generation method. Approved key generation methods are listed in Annex C to this standard. If an Approved key generation method requires input from a RNG, then an Approved RNG that meets the requirements specified in Section 4.7.1 shall be used.

            Compromising the security of the key generation method (e.g., guessing the seed value to initialize the deterministic RNG) shall require as least as many operations as determining the value of the generated key.

            If a seed key is entered during the key generation process, entry of the key shall meet the key entry requirements specified in Section 4.7.4. If intermediate key generation values are output from the cryptographic module, the values shall be output either 1) in encrypted form or 2) under split knowledge procedures.

            Documentation shall specify each of the key generation methods (Approved and non-Approved) employed by a cryptographic module.

            And the definition of a cryptographic module:

            Cryptographic module: the set of hardware, software, and/or firmware that implements Approved security functions (including cryptographic algorithms and key generation) and is contained within the cryptographic boundary.

            So, you might be able to abuse FIPS-certified components to build something that does ROT-13, but you shouldn't be able to get the resulting cryptographic module certified. Did any of the examples you have seen end up fulfilling U.S. government contracts that required a FIPS-140 certification?

            • So, you might be able to abuse FIPS-certified components to build something that does ROT-13, but you shouldn't be able to get the resulting cryptographic module certified.

              You don't need to get the overall result certified, that's why you're building it using FIPS-certified crypto. So what you do is get some FIPS-140 certified crypto (for example the crypto built into any copy of Windows) and then abuse it to make it about as secure as rot13. The module is certified, but it's used in an insecure manner.

              Did any of the examples you have seen end up fulfilling U.S. government contracts that required a FIPS-140 certification?

              Yes, pretty much all of them, since getting USG contracts is the main reason for going with FIPS-140 certified crypto in the first place.

              • Wow. That's interesting. Maybe it's just that I have been limited to work with components manufacturers; maybe it's because they are all covered by HIPAA, which has very vague borders (due to limited case history), so everyone plays extra cautious; maybe it's because they need FDA device-class certifications, and expect more scrutiny than other projects; or maybe the companies have more cautious legal departments. Whatever the reason, we have certainly met people who interpret the regulations in differen
    • If the provider uses rot13, they can consider that good enough

      For extra security, use it twice. This post is encrypted with double rot13-encryption.

  • XOR! (Score:5, Interesting)

    by DarkFencer (260473) on Saturday September 19, 2009 @06:06PM (#29479159)

    So all they have to do is 'encrypt' it? XOR here we come!

    Seriously - is there any guide to what TYPES of encryption are covered under this? Otherwise its inane.

    • Re: (Score:2, Informative)

      by Anonymous Coward

      There are guidelines, as promulgated by the FTC / HHS. If anyone feels strongly about this, you should write the agencies to change the regulations.

      • by shentino (1139071)

        Since when do congresscritters ever listen to Joe Schmoe more than corporate fatcat lobbyists?

        • I doubt fatcat lobbyists care whether they're using AES256 or ROT13.

          • Re:XOR! (Score:4, Insightful)

            by Anonymous Coward on Saturday September 19, 2009 @08:18PM (#29479895)

            and I don't either. It's the key management that is the weak point. 10-to-1 the people who claim exemptions under this rule will lose a laptop in the same bag as the usb key that decrypts the whole mess...

            • Re: (Score:3, Insightful)

              by dgatwood (11270)

              The keys alone won't do the trick. It's the password written on the Post-it note taped to the palm rest that's the bigger concern....

        • Re:XOR! (Score:4, Insightful)

          by c_forq (924234) <forquerc+slash@gmail.com> on Saturday September 19, 2009 @08:27PM (#29479935)
          There is actually a balance between the two. The Congresscritters need both votes and money to survive, so when an election is near letter writing campaigns can be very effective - it takes more effort to write a letter than most people are willing to put in (it is much easier just to punch the card next to the other guys name) so a letter represents more potential votes than the letter writer alone.
    • by descil (119554)
      It's not inane, it's sinister.
    • Re:XOR! (Score:5, Interesting)

      by Pieroxy (222434) on Saturday September 19, 2009 @07:01PM (#29479455) Homepage

      In any case, you need a key to decrypt your data. If the guy that broke in got the key along with the data, no amount of cryptography is going to help. Usually, from experience, the key is very often to close to the data.

      In a company I worked for, we had to set up a bridge between two web apps. We chose an SSO-like solution who worked well on the paper, but the devil is on the details. The guys on the other application decided to encrypt the SSO key in JavaScript on the client.... So the key ended up in clear text in the source of the page!

      Oh well....

      • by Shakrai (717556)

        The guys on the other application decided to encrypt the SSO key in JavaScript on the client.... So the key ended up in clear text in the source of the page!

        So just put up a EULA that forbids people from looking at the web page source code [slashdot.org]. Geez, do I have to figure out everything for you? ;)

      • Seems like the majority of the comments here deride this as a bad idea. But many (most?) of these same people rely on SSL and SSH to encrypt data, and purposefully send it out over a very public network, trusting the power of the encryption to protect them.

        Logically, how is this really any different?

        We've been using this technique for a long time, now. Our client-based application uses strong encryption to protect the files. Our encryption/decryption system embeds the password in as part of the encryption/d

        • by Pieroxy (222434)

          The story is about not having to disclose data breach if you use cryptography. This is all well and good unless you consider that there are so many dumb setups out there that are just a joke. Not disclosing security breach for those seems like a stupid idea.

          Now for sure, some setups are safe. We don't talk about these.

      • by mcrbids (148650)

        Wish you could edit posts!

        Have you considered using one-time pads to minimize the risk of a key disclosure? Depending on your circumstances, you could actually allow full disclosure of the keys in a session and *still* have a very secure session!

    • Re:XOR! (Score:4, Funny)

      by Idiomatick (976696) on Saturday September 19, 2009 @07:04PM (#29479471)
      I'd just put a sticker on the computer like this:

      1 -> 0
      0 -> 1
      • Re:XOR! (Score:5, Funny)

        by selven (1556643) on Saturday September 19, 2009 @07:12PM (#29479539)
        I tried that and now my data is all 1s. Thanks a lot!
        • by MoreDruid (584251)
          It doesn't work!!! I've got 2 computers here and nothing happens when I tape pieces of paper with that written on it against them. Do I need to print it to have it work?

          What do you mean, the box-thingy on the floor is my computer?

        • Should have used a functional language like real men then. ;)

      • Re: (Score:1, Funny)

        by Anonymous Coward

        I'd just put a sticker on the computer like this:

        1 -> 0
        0 -> 1

        If I know people at all -- and I think I do -- all you'll end up with is a bunch of bytes that look like this: 111111111.

      • I'd just put a sticker on the computer like this:

        1 -> 0
        0 -> 1

        Too much coding. Just add "Note: apply this operation TWICE to recover data". Then we don't need to modify any code.

    • by cbreak (1575875)

      The only provable encryption scheme OTP works with XOR. The only drawback is the key length.

      • RC4 (Score:3, Informative)

        by tepples (727027)

        The only provable encryption scheme OTP works with XOR. The only drawback is the key length.

        Which is why you use a pseudorandom number generator to make a message-specific key stream as long as the message. As long as you never reuse a key, and your PRNG doesn't suck, you have what they call a synchronous stream cipher [wikipedia.org]. An example of a well-known stream cipher is RC4 from RSA Security. Another is any block cipher in counter mode.

      • And message integrity. Since an MITM attacker can just xor his own fraudtext over the ciphertext.

        The two drawbacks are key length and message integrity...

        • by cbreak (1575875)

          For message integrity you can just append a hash value or a mac.

        • by KDR_11k (778916)

          Wouldn't he need to know either the plaintext or the key to put any useful data into that fraudtext result?

    • by jhol13 (1087781)

      Oh, boy ... XOR is the best there is ...
      (quite a few stream ciphers uses xor - for a reason: one-time-pad is XOR).

      Yeah, I know what you meant.

    • by Xtravar (725372)

      Hey dipshit! if you actually read the law, or were in the industry affected by this, you might understand that they actually did specify a level of encryption required. I should know because I just spent the last month upgrading our product to conform to the law. From what I was told by our security experts, AES and 3DES are acceptable.

  • Now, can someone direct me to a site showing how to setup this Encryption Garner Exemption software so that it will notify people of data breaches?

    Or do we just need /. to hire an editor?
  • by electricprof (1410233) on Saturday September 19, 2009 @06:14PM (#29479223)
    Once again we see an example of public policy on technology being made with apparently little knowledge or regard for technology. The word "encryption" guarantees nothing. Suppose we just use Pig Latin? Ancay ouyay eadray isthay?
    • Yes I can.

    • by pushing-robot (1037830) on Saturday September 19, 2009 @07:26PM (#29479627)

      No I can't.

    • by maxume (22995)

      What does "Ancay ouyay eadray isthay?" mean?

      I read it a couple of times, but I can't make anything of it.

    • Re: (Score:2, Funny)

      by aethogamous (935390)

      Once again we see an example of public policy on technology being made with apparently little knowledge or regard for technology.

      Once again we see an example of a comment on slashdot being made with apparently little knowledge or regard for the article.

      • Perhaps, but I recall when the supposedly impenetrable DES standard was rendered vulnerable. [Wie94] M.J. Wiener, Efficient DES key search, Technical Report TR244, School of Computer Science, Carleton University, Ottawa, Canada, 1994. [Wie98] M.J. Wiener, Performance Comparison of Public-Key Cryptosytstems, CryptoBytes (1) 4 (Summer 1998). I believe the 1998 publication suggests that a one million dollar specialized computer could exhaustively attack DES in 35 minutes. This was in 1998 mind you. DES is
        • Fair enough, and regardless of the encryption I would have to agree that the very idea is idiotic.
    • by rubi (910818)

      Once again we see an example of public policy on technology being made with apparently little knowledge or regard for technology. The word "encryption" guarantees nothing. Suppose we just use Pig Latin? Ancay ouyay eadray isthay?

      As technology has been "democratized" we have gained as a result a lot of what I call "magazine tech experts", they read something vague in a magazine or web page (usually not a publication specialized in technology or computer science) and go on from that.

  • Guess who wrote or helped write the law...

    Those who would have to follow the law and regulations. That's a problem with regulations, the industry that is regulated writes those regulations. Which then helps cut their competition.

    Falcon

    • Re: (Score:3, Interesting)

      by belthize (990217)

      Having just read through the document and as some other folks have posted further down it's not nearly as bad as you're implying and is *less* friendly to health agencies where reporting rules are concerned.

      It's certainly written in typical bureaucrat/lawyer speak but for individuals it's a clear improvement over the current state of affairs.

      In terms of the form of these documents, I wonder if an collaborative re-write type project would fly. Get volunteers to re-write the document such that the intent an

      • "I noted several times where the general ordering of the document was not terribly linear, they repeated themselves or used very confusing sentence structure."

        Psst! Excuse me, Mr. Belthize? Please, trade me papers. You've got the encrypted copy, and that's "Top Sekritz". Thank you sir!!

      • It's certainly written in typical bureaucrat/lawyer speak but for individuals it's a clear improvement over the current state of affairs.

        And guess who's bureaucrats and lawyers were involved. I would think the average or typical person could sit down and think, heck think while walking, that any breach of privacy by any entity would be liable for damages financial or otherwise caused by that breach as well as an amount X paid to those who suffered because of it. The disagreement I see is the amount of X.

  • A breach is a breach (Score:3, Informative)

    by mathfeel (937008) on Saturday September 19, 2009 @06:22PM (#29479265)
    whether it's encrypted or not. With encryption it is (in principle) harder. The weakest link is usually not the computer engineering but social engineering anyway.
    • Re: (Score:2, Insightful)

      by R2.0 (532027)

      "The weakest link is usually not the computer engineering but social engineering anyway."

      And that's why that exception is there - to protect the companies who have poor policies and weak personnel controls. How many doctors are walking around with their passwords on a sticky on the back of their ID badges? And how many even know policies against that exist, much less care about them?

  • by mysidia (191772) on Saturday September 19, 2009 @06:40PM (#29479341)

    If you wear your seatbelt, you don't have to buy auto-insurance, or report a crash you are involved with.

    Because if everyone was wearing their seatbelt, it's impossible for anyone to have gotten hurt.

    Basically the same logic behind not reporting a data breach, if encryption was used.

    *Not even considering how secure the keys are, and whether the intruder might be able to have gotten some usable data.

    Businesses that use encryption for communications rarely encrypt everything.

    • by rubi (910818)

      If you wear your seatbelt, you don't have to buy auto-insurance, or report a crash you are involved with.

      Because if everyone was wearing their seatbelt, it's impossible for anyone to have gotten hurt.

      Basically the same logic behind not reporting a data breach, if encryption was used.

      *Not even considering how secure the keys are, and whether the intruder might be able to have gotten some usable data.

      Businesses that use encryption for communications rarely encrypt everything.

      The considerations I think were made regard more the protection of the "reputation" (if they have one to begin with) of the companies affected by shuch breaches. In my country they have made it illegal to publish anything about a bank if it can be denounced as a rumor, only to protect the "reputation" of those banks. Same principle applies for not reporting breaches.

  • by sthomas (132075) on Saturday September 19, 2009 @06:41PM (#29479345)

    The method of encryption is defined in the law, adopts the standards set forth by the NIST, and there is a mechanism to update what is acceptable annually through published Guidances. This law is an improvement over what was previously in place. Read the HIPAA Security and Privacy rules as last updated in 2005, and then look at the major steps forward HITECH makes.

    That future Guidances can update standards without having to send a law through Congress is also going to allow for future improvements in security, too. HITECH was part of the economic recovery act (ARRA), which shows how difficult it was for HIPAA to get updates - this had to be tacked onto an unrelated must-pass bill.

    This article is from an encryption vendor who is stating that most encryption products are what he calls "point-to-point" encryption I bet he considers his own product to not be, thus it is superior, and thus HIPAA should require all companies to buy his products.

    For those of you who think "encryption" is left up to the governed:

    The HHS Guidance identifies four situations where paper or electronic data may be vulnerable to a breach, and suggests appropriate safeguards to secure the PHI:

                        - "Data at Rest". This is data that resides in databases, file systems, and other structured storage methods. The HHS Guidance points to the National Institute of Standards and Technology Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices as the approved methodology.
                        - "Data in Motion". This is data that is moving through a network, including wireless transmission. The HHS Guidance points to specific requirements in Federal Information Processing Standards (FIPS) 140-2 which include, as appropriate, standards described in NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800-77, Guide to IPsec VPNs; or 800-113, Guide to SSL VPNs, and may include others which are FIPS 140-2 validated.
                        - "Data Disposed". This is discarded paper records or recycled electronic media. The electronic media must have been cleared, purged, or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization, such that the PHI cannot be retrieved. For discarded paper records, PHI would need to be shredded or destroyed in a manner that precludes reconstruction.
                        - "Data in Useâ. This is data in the process of being created, retrieved, updated or deleted. The encryption and destruction processes described above, along with the general HIPAA safeguards, will apply to all data in use.
     

    • by sthomas (132075) on Saturday September 19, 2009 @06:58PM (#29479447)

      There's an excellent overview by a law firm here:

      http://www.faegre.com/showarticle.aspx?Show=8969

      "Previously, covered entities were obligated to mitigate harm caused by unauthorized disclosures of protected health information, but not required to give notice to the individuals whose information was inappropriately disclosed. Going forward, covered entities and business associates will be required to notify individuals when security breaches occur with respect to "unsecured" information. Unsecured information means information not protected through technology or methods designated by the federal government. In addition, if the breach involves 500 or more individuals, notice to the federal Department of Health and Human Services and the media is also required."

  • The actual document (Score:5, Informative)

    by belthize (990217) on Saturday September 19, 2009 @06:49PM (#29479401)

    The actual document is here:
    http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/federalregisterbreachrfi.pdf [hhs.gov]

    I started to post several derogatory comments as I read through it but eventually I came to the conclusion that while nearly unfathomable to most readers it doesn't completely suck.

    In several cases they specifically ask for comment from the public where they think there may be valid concern and I think they accurately identified the weak links where they requested comment. If you have an opinion you might consider posting it there rather than (or in addition to) here.

    They do actually address reporting breaches of encrypted data where that encryption could arguably have been broken or circumvented.

    I don't quite understand the logic of not simply reporting any breach but it's hardly the disaster it's being made out to be.

    • by fluffy99 (870997) on Saturday September 19, 2009 @08:07PM (#29479847)

      Congratulations, you're one of the few people that read the article or the document itself. My take on this is that if end-end encryption was used, meaning the actual files lost were still securely encrypted and the keys were not compromised, then the data owner does not have to report it as compromised data. Sounds reasonable to me.

      The ACT is also a huge motivator for these agencies to implement encryption in a secure manner, thereby avoiding the whole mess that happens every time a laptop gets stolen and they don't know what files were actually on it.

      • It's obvious that the companies involved are creating a CYA clause, nothing new in business case studies. But what's really interesting are some of the fundamental issues that are emerging from the Health Care Question.
        • What harm can happen from anyone knowing your current health status be?
        • What CAN Health Care Companies do BETTER than a government subsidized health care plans?
        • What are the impacts of Genetic Therapies on the Pharmaceutical Industries?
        • Changing the Health Care Business Model from one of "Rep
  • I know everyone is thinking it so i'll just put it out there.

    I want to be the guy that gets paid to make cool acronyms for the government. ARTEMIS and ATLAS could have been my words! EYE WIL GETT this JOB if it's the LAST thing EYE DO (I believe that had something to do with NASA...).
  • 1) I really doubt that they were running out and telling everyone of their breaches in the first place. Unless a corporation has a gun to its head they tell the public nothing. Not that I really blame them, it's not exactly profitable to announce such things.

    2) Anyone who has worked in industries where encryption is "required" laughs scornfully at press releases like these. We'll see a rush of bandaid solutions to meet the mere minimum then, over time (say one year), even that minimum will be forgotten
  • I'll admit I only scanned TFA, but it seems to me that the situation is this: If they use encryption, companies that failed to protect their data banks don't have to notify those most intimately concerned that the data has been illegally accessed. At the same time, the people who would steal data AND break the encryption are those who have a real intention of using it. It's a safe bet that the use they have in mind is not one the people most directly concerned would approve of.

    So under this system, th

  • by MartinSchou (1360093) on Saturday September 19, 2009 @11:41PM (#29480797)

    I seem to recall a case from the UK, where two CDs filled with tax information from about 10 million people were left on a train or bus.

    Thankfully all the data on the CDs was encrypted.

    Typically the password(s) were written on the CDs.

    So, no, encryption does nothing but add a layer of security theatre for data breaches. Notification should still be required.

    Add the following requirements:

    • What was copied
    • How was it copied (i.e. CDs forgotten on a bus, laptop stolen, physical entry onto facilities, remote access etc.)
    • How was the data protected (i.e. not at all, encrypted etc.)
    • How effective is the chosen encryption (i.e. not at all, 40 bit DES, 4096 bit Blowfish etc.)
    • Were the passwords compromised as well (i.e. yes it was on the CD, possibly, no etc.)
    • What measures are being taken to prevent this happening again (i.e. nothing, passwords won't be shipped along with data, better security against remote access, fired the responsible manager etc.)

    Probably a few more requirements as well. That way those who really want to know can be told, and those who don't care will just throw the letter away anyway.

    Also add very very steep fines for not disclosing data breaches. If the chance of it being known that a breach has occurred are 1%, make the fines 200x the cost of notification and expected loss of business. Hell, add mandatory non-suspendable jail time for the responsible managers (including board members).

    • Thankfully all the data on the CDs was encrypted.

      It was widely reported as "password protected". Whether that means the press (or the press office of HMRC) were dumbing it down for public consumption, or whether it was something considerably more fragile, who knows.

      UK government agencies have become disproportionately paranoid about this kind of data loss now. On the upside, we now have mandatory examinations in data security. In our office, we have universal full-disk encryption and all writeable removable media is required to also be encrypted, enforced

  • "More specifically (as explained here - PDF) only HIPAA-covered healthcare providers and health plans that omit the use of encryption or information destruction will be obliged to notify individuals about a breach of their personal health information."

    I work for one of THE largest health insurance companies and I can say HIPPA is a FEDERAL law you don't have HIPPA covered and not HIPPA covered. If a provider is NOT abiding under HIPPA they are breaking the law. So in all actuality it will be anyone not empl

    • by sthomas (132075)

      The commercial whole-disk encryption software we use works at the BIOS-level, rather than from within the OS. You can't mount the disks on a Linux system. Your statement that commercial encryption programs are for peace of mind rather than protection is a false generalization. Well-designed, well-implemented, *and* well-managed (must be all three) systems can provide excellent real protection of data.

For God's sake, stop researching for a while and begin to think!

Working...