o365 and HIPAA information between two different agencies

scottalanmiller

@Dashrender said in o365 and HIPAA information between two different agencies:

Incoming doesn't matter so it will remain opportunistic, as it's the senders responsibility to ensure encryption exists, not the receiver.

Does that wording exist somewhere? What makes one party more responsible than the other?

scottalanmiller

@BRRABill said in o365 and HIPAA information between two different agencies:

@Dashrender said

Actually, at rest encryption is not a requirement. It's highly pushed, but not a requirement.

Well, if you are going with that, neither does data in transmission.

But you better have a great reason for not doing it and a lot of documentation!

That correct, that fax is allowed, for example, or phone calls demonstrates that data encryption is never a requirement. It's just that IT staff take security so much more seriously by default.

Dashrender

@BRRABill said in o365 and HIPAA information between two different agencies:

@Dashrender said

Actually, at rest encryption is not a requirement. It's highly pushed, but not a requirement.

Well, if you are going with that, neither does data in transmission.

But you better have a great reason for not doing it and a lot of documentation!

http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf

These two parts seem to have the most to do with encryption over a network. It seems I misunderstood, it it addressable. So, you're right, not required - but so easy and cheap to implement, you better have a damned good reason not to. Assuming the at rest encryption is the same, that's pretty easy to fight because at rest encryption is often expensive, if not in actual dollars, in management, so that would be a reason to not do it on the end user devices. that said, I think where possible doing it on mobile devices is prudent.

164.312(a)(2)(iv)
(iv)
Encryption and decryption
(Addressable).
Implement a
mechanism to encrypt and
decrypt electronic protected
health information.

(e)(1)
Standard: Transmission
security.
Implement technical
security measures to guard
against unauthorized access to
electronic protected health
information that is being
transmitted over an electronic
communications network.
(ii)
Encryption
(Addressable).
Implement a mechanism to
encrypt electronic protected
health information whenever
deemed appropriate.

Dashrender

@wirestyle22 said in o365 and HIPAA information between two different agencies:

@JaredBusch said in o365 and HIPAA information between two different agencies:

@Dashrender said in o365 and HIPAA information between two different agencies:

@JaredBusch said in o365 and HIPAA information between two different agencies:

@Dashrender said in o365 and HIPAA information between two different agencies:

@BRRABill said in o365 and HIPAA information between two different agencies:

@Mike-Davis said

If two different agencies are using Office 365 can they send client information back an fourth? Office 365 says that it's HIPAA compliant, so if the information stays in their cloud, is it covered?

Do you mean does just doing that (sending the file via O365) make it compliant?

Assuming there was a guarantee of transport encryption - previous discussions here on ML would say - yes it does.

No, that is not what was ever said.

I have never seen anyone say that just using Exchange Online provides HIPAA compliance. I have seen it said by others and myself, that it gives you automatic opportunistic TLS and thus in most cases, your email is already encrypted.

But compliance requires knowledge that encryption was used. That means you have to force TLS to be used on outbound mail that carries PHI covered by HIPAA.

Did you even read what I wrote! Assuming a guarantee of transport encryption - which you can't do without turning off opportunistic TLS and making it mandatory. So that covers anything else you have to say.

Yes, I read exactly what you wrote. And by using such vague language I thought I was listening to a Trump speech.

I mean--look, I'm for it. I'm for guaranteed transport encryption. Okay? But it's coming into our country to do tremendous harm. I've had so many people call me and say thank you. You see them talking and they say "Trump has a point."

damn.. I had to read that like 5 times, but I finally get the joke.
nice one.

scottalanmiller

@Dashrender You just used the same logic for why we say that fax isn't okay... it's so easy to do something better that there's really no excuse for using something without in transit security

Dashrender

@scottalanmiller said in o365 and HIPAA information between two different agencies:

@Dashrender You just used the same logic for why we say that fax isn't okay... it's so easy to do something better that there's really no excuse for using something without in transit security

except I disagree with you that it's easier - and so do millions of others. That said, I agree that we SHOULDN'T be faxing, but it's not easier.

Dashrender

turning on TLS on email is completely transparent to the end user, moving from faxing to emailing is hugely impactful to the end user.

BRRABill

Even though @scottalanmiller and I disagreed on this (I think, I forget at this point) FDE locally is also very easy. And it basically absolves you of a breach. Which is why it's implemented in a lot of healthcare systems.

But as you know, that's 2 pieces of hundreds if not thousands. Nuts.

Dashrender

@scottalanmiller said in o365 and HIPAA information between two different agencies:

@Dashrender said in o365 and HIPAA information between two different agencies:

Incoming doesn't matter so it will remain opportunistic, as it's the senders responsibility to ensure encryption exists, not the receiver.

Does that wording exist somewhere? What makes one party more responsible than the other?

Not specifically that I am aware of, but how can you be responsible for how someone delivers something to you? I suppose given you fax thing, you could simply deny all access, but is that your job to ensure they are doing the right thing? You can't even tell if the message from them contains PHI until after they send it.

Dashrender

@BRRABill said in o365 and HIPAA information between two different agencies:

Even though @scottalanmiller and I disagreed on this (I think, I forget at this point) FDE locally is also very easy. And it basically absolves you of a breach. Which is why it's implemented in a lot of healthcare systems.

But as you know, that's 2 pieces of hundreds if not thousands. Nuts.

FDE can be easy, but not cost effective. I have no idea how much FDE drives are these days, also what are the local system requirements to make them work? i.e. Does the BIOS have to support it?

scottalanmiller

@Dashrender said in o365 and HIPAA information between two different agencies:

@scottalanmiller said in o365 and HIPAA information between two different agencies:

@Dashrender said in o365 and HIPAA information between two different agencies:

Incoming doesn't matter so it will remain opportunistic, as it's the senders responsibility to ensure encryption exists, not the receiver.

Does that wording exist somewhere? What makes one party more responsible than the other?

Not specifically that I am aware of, but how can you be responsible for how someone delivers something to you? I suppose given you fax thing, you could simply deny all access, but is that your job to ensure they are doing the right thing? You can't even tell if the message from them contains PHI until after they send it.

Because the communications is negotiated, you can be equally responsible in either direction. If it is "not your job to ensure that they do the right thing" then that suggests that as long as you offer TLS and they decline, you are covered even when you are the sender.

Dashrender

@scottalanmiller said in o365 and HIPAA information between two different agencies:

@Dashrender said in o365 and HIPAA information between two different agencies:

@scottalanmiller said in o365 and HIPAA information between two different agencies:

@Dashrender said in o365 and HIPAA information between two different agencies:

Incoming doesn't matter so it will remain opportunistic, as it's the senders responsibility to ensure encryption exists, not the receiver.

Does that wording exist somewhere? What makes one party more responsible than the other?

Not specifically that I am aware of, but how can you be responsible for how someone delivers something to you? I suppose given you fax thing, you could simply deny all access, but is that your job to ensure they are doing the right thing? You can't even tell if the message from them contains PHI until after they send it.

Because the communications is negotiated, you can be equally responsible in either direction. If it is "not your job to ensure that they do the right thing" then that suggests that as long as you offer TLS and they decline, you are covered even when you are the sender.

Why do you think that? I would say, you offered, they declined, you know you can't because it's not secure - I suppose from an addressable standpoint, you did the best that YOU could do, so I see your point.

Damn there really needs to be some case law about this shit, because until there is, it's all just a guessing game waiting for someone to get sued over it. Or dealing with getting audited by the OCR and seeing what they have to say.

BRRABill

@Dashrender said

FDE can be easy, but not cost effective. I have no idea how much FDE drives are these days, also what are the local system requirements to make them work? i.e. Does the BIOS have to support it?

The Samsung SSDs support FDE and they can be had for well under $100. The software to manage the FDE costs $39 if you want it for an individual use case, but in a healthcare type environment that would all be centrally managed. I'm not sure how much that is.

Though if you ever lose a laptop it's worth it!

BRRABill

Actually, I guess what I am considering would be ... SED and not FDE? Or is that term interchangeable here?

Dashrender

Can you manage drive based encryption from a network?

Something like Bitlocker you can manage from AD, but you're back to the management issue mentioned earlier.

But, like you said, a single lost machine could easily make it worth while.

BRRABill

@Dashrender said

Can you manage drive based encryption from a network?

Something like Bitlocker you can manage from AD, but you're back to the management issue mentioned earlier.

What management issue?

I know some places around us use this:
http://wave.com/products/wave-self-encrypting-drive-management

That's what I use for my users' SEDs, but I manage it all at the machine level. (I think you need 20 machines or something for it to start making sense financially.)

Though it looks like from the home page that company is in turmoil. Not sure if what is happening is good or bad.