Local Encryption ... Why Not?
-
@scottalanmiller said:
@BRRABill said:
We were discussing that the other day. If the data on the drive itself in encrypted.
Did we ever come to a conclusion?
I am assuming that it is encrypted.
Then pulling the drive wouldn't help them, right?
-
@Dashrender said:
This seems like a stretch of a conversation... one that even the attorney on the other side might not make, let alone a judge who isn't into technology.
My theoretical conversation is much better. LOL.
-
Here is an article from a very large healthcare organization in NJ.
http://www.inforisktoday.com/interviews/shifting-to-hardware-based-encryption-i-987/op-1
Some key points:
- they are doing this on 800 laptops
- he mentions about not having to report breaches on drives with encryption if they can demonstrate there is no exposure or potential exposure
- he says there is no way to guarantee users are not putting PHI on the laptops
I know in a previous thread it was stated that this is technically data theft, but that still doesn't protect them if a laptop is stolen and they can't without a doubt prove there is no PHI on it.
This goes back to my original question. Instead of trying to force the hand of people to store stuff in the cloud, or not download PHI, or any of those things ... why not just force them to use complex passwords and encrypt the laptop?
-
My other question remains:
You have a doctor with a small practice. He comes to you, fresh off a seminar where he was told all his data at rest needs to be encrypted, and wants you to do that.
Are you saying you'd tell him you don't recommend it?
In the "judge" scenario how could that be anything but negligence? We know it is required as IT people. (Unless you want to argue that PHI doesn't need to be encrypted at rest. Is that a gray area of HIPAA? (Of which I agree the whole thing is a non-checkbox grey area.)) The doctor has been informed. How could either of you answer anything but you know it should have been?
-
The law does not require PHI to be encrypted at rest.... only highly recommended by the OCR, not the law.
-
@Dashrender said:
The law does not require PHI to be encrypted at rest.... only highly recommended by the OCR, not the law.
Yes, but if you don't, you'd better have a good reason why not.
"Because the staff didn't want to use passwords" is not going to cut it, I don't think!
This is a good blurb that kind of backs my feelings on this:
You’re required to encrypt PHI in motion and at rest whenever it is “reasonable and appropriate” to do so. I’ll bet that if you do a proper risk analysis, you’ll find very few scenarios where it’s not. Even if you think you’ve found one, and then you’re breached, you have to convince the OCR, who think encryption is both necessary and easy, that you’re correct. Is that an argument you want to be making in the face of hefty fines? Not me… and that’s why I have convinced myself that encryption is required by HIPAA. -
@Dashrender said:
@scottalanmiller said:
@BRRABill said:
But it also nice to know if the device gets lost/stolen, the data is probably safe.
Are you sure?
Judge: "If the system was secure, why was it encrypted?"
You: "Just in case our users started storing data locally."
Judge: "And you don't feel that encrypting the drive suggests that you support that action and enable it by making it seem like you intend for them to put PHI there?"
You: "Ummm... but I didn't tell them to put it there."This seems like a stretch of a conversation... one that even the attorney on the other side might not make, let alone a judge who isn't into technology.
Someone might make it. It's a stretch, but it's a real concern. Are we enabling risky behaviour? Why?
-
@BRRABill said:
@scottalanmiller said:
Judge: "If the system was secure, why was it encrypted?"
You: "Just in case our users started storing data locally."
Judge: "And you don't feel that encrypting the drive suggests that you support that action and enable it by making it seem like you intend for them to put PHI there?"
You: "Ummm... but I didn't tell them to put it there."Judge: Were you aware that sensitive data was on the machine?
Me: Yes, that is why we installed a self-encrypting drive. As you know, sir, drives with this technology that are lost are not considered breaches.
Judge: Oh, that's right. Thank you and have a nice day!That's fine except for one thing - since when is lost data not considered a breach when encrypted? That's news to me and I'm sure would be big news to most of the American public. Why is encryption considered an exception to security and privacy norms?
-
@BRRABill said:
@scottalanmiller said:
@BRRABill said:
We were discussing that the other day. If the data on the drive itself in encrypted.
Did we ever come to a conclusion?
I am assuming that it is encrypted.
Then pulling the drive wouldn't help them, right?
Of course it would. Encryption doesn't stop access, it just slows it down. In the case of assumed 10K maximum passwords, it slows it down by only a few seconds.
-
@BRRABill said:
- he mentions about not having to report breaches on drives with encryption if they can demonstrate there is no exposure or potential exposure
If he can demonstrate that there was no exposure then there is no breach. Problem is... that cannot ever be demonstrated. So that's just misdirection and moot. Has nothing to do with the situation. Encryption does not prevent exposure so no need to discuss theoretical cases that can't happen.
-
@scottalanmiller said:
That's fine except for one thing - since when is lost data not considered a breach when encrypted? That's news to me and I'm sure would be big news to most of the American public. Why is encryption considered an exception to security and privacy norms?
You'll also see it mentioned int he article I attached.
Because they consider 256-bit encryption (was told only 256 bit qualifies as the "golden ticket", not 128 bit) uncrackable, ever.
You prove
a) you require strong complex passwords and
b) you required this password to unlock the encryption and
c) the encryption was enabledAnd that's all she wrote. Otherwise you are going on the HHS wall of shame!
-
@BRRABill said:
- he says there is no way to guarantee users are not putting PHI on the laptops
No way to ensure that they are not handing out the encryption passwords either. What's the point in that statement?
-
@BRRABill said:
You prove
a) you require strong complex passwords and
b) you required this password to unlock the encryption and
c) the encryption was enabledThis still relies on a judge's opinion, there is no hard ruling. It's also a moving target. Complex passwords are also the weak ones, that alone violates extremely basic security practices and should get facilities in trouble for not meeting basic, easy standards.
How does one prove that encryption was enabled and what kind it was after a device has been exposed? How do you prove the password was hard enough to guess but not in any way stored with the device?
-
@scottalanmiller said:
Of course it would. Encryption doesn't stop access, it just slows it down. In the case of assumed 10K maximum passwords, it slows it down by only a few seconds.
I did a few quick Google searches, and it appears you cannot use the password to decrypt it if the drive is not in the device. It has to be in the device.
-
@BRRABill said:
@Dashrender said:
The law does not require PHI to be encrypted at rest.... only highly recommended by the OCR, not the law.
Yes, but if you don't, you'd better have a good reason why not.
Good luck getting a doctor to do that. Literally have never met a doctor or medical "professional" that would be willing to do anything like this. The discussions around here talk about what doctors won't do all of the time. Implementing things that they work around (putting passwords on the device or in the bag) are the same as not doing them at all. I'd rather show that I went beyond the level of security required rather than putting data at risk to do what "seemed likely to trick the judge."
-
@BRRABill said:
I did a few quick Google searches, and it appears you cannot use the password to decrypt it if the drive is not in the device. It has to be in the device.
I wonder how that works. What aspect of the device makes it work that way. Complex encrypted salt on another chip?
-
@scottalanmiller said:
How does one prove that encryption was enabled and what kind it was after a device has been exposed? How do you prove the password was hard enough to guess but not in any way stored with the device?
In a facility like that (they are now over 1250 laptops with this, I saw in a difference article) it's all centrally monitored. Once the encryption is turned on, the users cannot turn it off. Same with me ... my single users cannot disable it.
HIPAA is all about process. The process is to encrypt the drive before the user gets it. There is thus no way to turn off the encryption.
-
@scottalanmiller said:
I wonder how that works. What aspect of the device makes it work that way. Complex encrypted salt on another chip?
http://blog.cryptographyengineering.com/2014/10/why-cant-apple-decrypt-your-iphone.html
-
@BRRABill said:
HIPAA is all about process. The process is to encrypt the drive before the user gets it. There is thus no way to turn off the encryption.
You can show a process and that it would be a bit of a pain. But if I get one of your laptops, take it to Staples and ask them to upgrade the drive for me... would I not get a laptop, with zero technical knowledge, encryption removed, fully migrated?
-
@scottalanmiller said:
Good luck getting a doctor to do that. Literally have never met a doctor or medical "professional" that would be willing to do anything like this. The discussions around here talk about what doctors won't do all of the time. Implementing things that they work around (putting passwords on the device or in the bag) are the same as not doing them at all. I'd rather show that I went beyond the level of security required rather than putting data at risk to do what "seemed likely to trick the judge."
But here at ML we're always talking about educating the users.
Wouldn't it be an easier sell to have their staff enter a password upon reboot, then to have to totally change all their procedures to not store stuff on their laptops, which we also know they always do?