Local Encryption ... Why Not?
-
Holy cow, I got the same thing.
-
Now my browser does have a PDF viewer enabled in it, so the file opened in the browser, but I'm pretty sure it did download and open locally.
This definitely seems odd, but now that I think about it, makes some sense. Because you're not printing the whole browser window, or even a window within the browser, Word (in this case) needs some way to enforce printing format. Forcing it to a PDF and then requiring the user to use a local PDF view to do the printing does make sense...
Though i wonder if it would have been better to have the print job open in a new Window formatted as desired, ignoring actual window size, etc... and then launching the browser print option - though I'm guessing there it to much chance that printing would not have the correct formatting.
-
Very odd. Although I suppose this helps to highlight that if you go to print, you are exposing things. Printing isn't secure - not from the network side nor the paper side. If you are forced to download a PDF, I guess it would help to remind users that they are doing something inherently insecure.
But why would it do this rather than printing directly?
-
@scottalanmiller said:
But why would it do this rather than printing directly?
Did you post this while I was editing my previous post?
-
Yes
-
What do you think of the possible reasons I posted?
-
That seems to make sense. By going to PDF you know that you will be able to get an exact copy rather than something "close-ish."
-
@scottalanmiller said:
Very odd. Although I suppose this helps to highlight that if you go to print, you are exposing things. Printing isn't secure - not from the network side nor the paper side. If you are forced to download a PDF, I guess it would help to remind users that they are doing something inherently insecure.
But why would it do this rather than printing directly?
Printing can be secure.
Our copier is HIPAA compliant.
You could also just hang a personal laser printer off the box you want to be secure.
My point is that who knows what files these secure browsers are putting on your machine.
When I am going across some crazy border as a spy, I want to be sure. (NOTE: I have barely ever left the US.)
-
@BRRABill said:
@scottalanmiller said:
Very odd. Although I suppose this helps to highlight that if you go to print, you are exposing things. Printing isn't secure - not from the network side nor the paper side. If you are forced to download a PDF, I guess it would help to remind users that they are doing something inherently insecure.
But why would it do this rather than printing directly?
Printing can be secure.
Our copier is HIPAA compliant.
You could also just hang a personal laser printer off the box you want to be secure.
My point is that who knows what files these secure browsers are putting on your machine.
When I am going across some crazy border as a spy, I want to be sure. (NOTE: I have barely ever left the US.)
I have no idea what you're talking about crossing borders...
But Scott's point is still valid. Once you print the paper the information is no longer secure. it can go anywhere, everywhere with no tracking.
How is your copier HIPPA compliant? Because the drive is encrypted and requires a username/password to get into the drive? Sure that makes it HIPPA compliant, but does not make it secure. If this was a high value target, someone could install a tap on the network connection and probably capture the prints in transit. I'm not aware of any printer that has a driver that uses SSL, though I'm sure there are some out there today.
-
@Dashrender said:
I have no idea what you're talking about crossing borders...
Was an IT joke. Poor one, perhaps.
Like if I was a spy.
-
@Dashrender said:
But Scott's point is still valid. Once you print the paper the information is no longer secure. it can go anywhere, everywhere with no tracking.
Not really. It is still trackable, and considered secure in the US Mail since it is a federal violation to tamper with that.
-
@Dashrender said:
How is your copier HIPPA compliant? Because the drive is encrypted and requires a username/password to get into the drive? Sure that makes it HIPPA compliant, but does not make it secure. If this was a high value target, someone could install a tap on the network connection and probably capture the prints in transit. I'm not aware of any printer that has a driver that uses SSL, though I'm sure there are some out there today.
Here is a link to the brand we have.
Though I am pretty sure if your network is secured, encryption to the copier is not a big deal. It more the hard drive in case it gets traded back in, as in the 1.7 million dollar fine I mentioned earlier for leaving PHI on copiers.
-
@BRRABill said:
@Dashrender said:
But Scott's point is still valid. Once you print the paper the information is no longer secure. it can go anywhere, everywhere with no tracking.
Not really. It is still trackable, and considered secure in the US Mail since it is a federal violation to tamper with that.
what if you don't put it in an envelope? What if you just take it home? what if you make a copy of it? once you have that printout.. you can do anything you want with it.
-
@Dashrender said:
what if you don't put it in an envelope? What if you just take it home? what if you make a copy of it? once you have that printout.. you can do anything you want with it.
If it is paper with PHI, it still has to be protected.
For example, we have questionnaires where the respondent MIGHT put their name on. SO we have to log it into our building, and secure it in a locked cabinet in a locked room.
Just because it is paper doesn't mean you can lose track of it.
-
@Dashrender said:
@BRRABill said:
@Dashrender said:
But Scott's point is still valid. Once you print the paper the information is no longer secure. it can go anywhere, everywhere with no tracking.
Not really. It is still trackable, and considered secure in the US Mail since it is a federal violation to tamper with that.
what if you don't put it in an envelope? What if you just take it home? what if you make a copy of it? once you have that printout.. you can do anything you want with it.
Does this mean we can't use it? Of course not, we have to believe that our staff is trustworthy, or we have to get rid of them. Scott's main point, at least as I saw it, was to simply make you aware of this situation, not to make you worried about it.
-
@BRRABill said:
@Dashrender said:
what if you don't put it in an envelope? What if you just take it home? what if you make a copy of it? once you have that printout.. you can do anything you want with it.
If it is paper with PHI, it still has to be protected.
For example, we have questionnaires where the respondent MIGHT put their name on. SO we have to log it into our building, and secure it in a locked cabinet in a locked room.
Just because it is paper doesn't mean you can lose track of it.
You're kidding right? not lose track? We (and all of the hospitals we are part of) print countless things from EHRs, etc. Those prints never flow through any kind of tracking. 99% of the time they are printed, read and then simply put into a shred bin. Nothing stops someone from just taking things out of that bin and taking it home..
-
@Dashrender said:
You're kidding right? not lose track? We (and all of the hospitals we are part of) print countless things from EHRs, etc. Those prints never flow through any kind of tracking. 99% of the time they are printed, read and then simply put into a shred bin. Nothing stops someone from just taking things out of that bin and taking it home..
No, I'm not kidding. Not from my understanding of HIPAA.
Maybe not tracking, but you can't just print a bunch of stuff and then leave it wherever. There has to be aprocess from the printing through the proper disposal, which yes includes very fine shredding.
-
@BRRABill said:
@Dashrender said:
But Scott's point is still valid. Once you print the paper the information is no longer secure. it can go anywhere, everywhere with no tracking.
Not really. It is still trackable, and considered secure in the US Mail since it is a federal violation to tamper with that.
It's also a federal crime to socially engineer someone to get access to their computers. Or to just hack in at all. But I don't think that holds up for not securing the data.
-
@BRRABill said:
@Dashrender said:
How is your copier HIPPA compliant? Because the drive is encrypted and requires a username/password to get into the drive? Sure that makes it HIPPA compliant, but does not make it secure. If this was a high value target, someone could install a tap on the network connection and probably capture the prints in transit. I'm not aware of any printer that has a driver that uses SSL, though I'm sure there are some out there today.
Here is a link to the brand we have.
Though I am pretty sure if your network is secured, encryption to the copier is not a big deal. It more the hard drive in case it gets traded back in, as in the 1.7 million dollar fine I mentioned earlier for leaving PHI on copiers.
We could say all of that about desktops, laptops, etc. I'd generally agree with you. But only insofar as a printer would need any and all protection that a laptop would. If you feel a laptop would need to be encrypted, then a printer surely would since it would generally have many fewer protections and be way easier to steal in most cases.
-
@BRRABill said:
@Dashrender said:
You're kidding right? not lose track? We (and all of the hospitals we are part of) print countless things from EHRs, etc. Those prints never flow through any kind of tracking. 99% of the time they are printed, read and then simply put into a shred bin. Nothing stops someone from just taking things out of that bin and taking it home..
No, I'm not kidding. Not from my understanding of HIPAA.
Maybe not tracking, but you can't just print a bunch of stuff and then leave it wherever. There has to be aprocess from the printing through the proper disposal, which yes includes very fine shredding.
Actually the shredding doesn't have to be fine or even destroy the data, sadly. Once you "moderately mangle it" it's considered enough effort. One of my big complaints about HIPAA, it's a scam and does nothing to protect against data leakage.