in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

HIPAA-HITECH Security: Weak Encryption Is Tantamount To Data Breach

El Emam et al write in "How Strong are Passwords Used to Protect Personal Health Information in Clinical Trials?" that the safe harbor clause is note extended to cases where weak encryption software is used.  So, even if one were using disk encryption software to protect the contents of a notebook computer, if it's based on weak encryption, the loss of the computer will constitute a data breach. (I should note that AlertBoot uses AES-256, one of the strongest encryption algorithms available for commercial use).

Don't Take It for Granted...

Here's the particular paragraph from El Emam et al that points out the repercussions of using weak encryption to protect PHI:

It should not be taken for granted that the default file encryption algorithms used to protect PHI are strong. In fact, we found that emailing the ZIP files in our sample would be considered a data breach under the US Health Information Technology for Economic and Clinical Health (HITECH) Act because they all used the weak ZIP 2.0 standard. Furthermore, the emailing of files encrypted using the default encryption in Word 2003 and earlier would also be a breach under the US HITECH Act. Therefore, the simple technical act of encryption does not ensure that this was done effectively [my emphasis]

What is weak encryption?  It's usually defined along the lines of "encryption that uses a key of insufficient length that doesn't prevent it from being compromised in a meaningful time frame."  In other words, if I can figure out (or find or guess) the encryption key in, say, less than a year, you've got weak encryption.

In practice, it's easier to say that weak encryption is anything that is not deemed strong encryption, since listing strong encryption algorithms is easier due to their limited numbers.

HIPAA/HITECH Data Breach Safe Harbor

It shouldn't be news to any HIPAA covered-entities that the HITECH Act amended HIPAA, or that there is a new data breach notification requirement in that amendment.  The new rules went into effect over a year ago, so if you're hearing about this now...well, get moving and secure your data.

Also in the "not-news" category: there is a safe harbor component to the breach notification requirement.  Namely, any cases where ePHI (electronic protected health information) is lost but encrypted don't apply to the notification requirement.

There is a caveat, however.  Nowhere is it specified what type of encryption one should be using.  Instead, readers of the guidelines will notice that they're referred to NIST publications regarding encryption.

On the functional equivalent of a safe harbor:

This guidance is intended to describe the technologies and methodologies that can be used to render PHI unusable, unreadable, or indecipherable to unauthorized individuals. While covered entities and business associates are not required to follow the guidance, the specified technologies and methodologies, if used, create the functional equivalent of a safe harbor, and thus, result in covered entities and business associates not being required to provide the notification otherwise required by section 13402 in the event of a breach. [19008  Federal Register / Vol. 74, No. 79 / Monday, April 27, 2009 / Rules and Regulations, my emphasis]

On encryption software and NIST:

(i) Valid encryption processes for data at rest are consistent with NIST Special Publication 800–111, Guide to Storage Encryption Technologies for End User Devices.

(ii) Valid encryption processes for data in motion are those which comply, as appropriate, with NIST Special Publications 800–52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800–77, Guide to IPsec VPNs; or 800–113, Guide to SSL VPNs, or others which are Federal Information Processing Standards (FIPS) 140–2 validated. [42742  Federal Register / Vol. 74, No. 162 / Monday, August 24, 2009 / Rules and Regulations]

NIST rules out any encryption that wasn't tested by them, so if you're using something that was contracted out to be built for you, but never validated by NIST, you're not getting safe harbor from the HITECH breach notification requirements.  Likewise if you're using encryption software that is outdated, like those found in Windows Word 2003 or earlier, as mentioned by El Emam et al.

It's not just a matter of using encryption.  You've got to use the right encryption: FIPS 140-2 validated encryption.

You've Got to Wonder...

Reading the above, you've got to wonder if there are HIPAA-covered entities out there that are essentially breaking the law because they don't know better.


Related Articles and Sites:
http://www.jmir.org/2011/1/e18/#ref51

 
<Previous Next>

HIPAA Encryption: Medical Researchers Get Some Recommendations From Colleagues

HIPAA Data Breach Cost: Boston MGH Pays $1 Million For Lost Papers

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.