Local Encryption ... Why Not?
-
@scottalanmiller said:
It's also a federal crime to socially engineer someone to get access to their computers. Or to just hack in at all. But I don't think that holds up for not securing the data.
A majority of these breaches happen with theft and loss.
HIPAA is all about reasonable protection, as you know. Dropping mail into a USPS box is a reasonable way of securing that data.
Again, if you were sending top secret documents, you wouldn't do that. However, that is not what HIPAA is all about.
-
@scottalanmiller said:
Actually the shredding doesn't have to be fine or even destroy the data, sadly. Once you "moderately mangle it" it's considered enough effort. One of my big complaints about HIPAA, it's a scam and does nothing to protect against data leakage.
By fine I meant cross-cut. It can't be "easily put back together" in any way.
I agree. Total scam.
Healthcare companies that have actual important data to protect, yet aren't under the HIPAA umbrella I have found generally have WAAAAAAAAAAAAAY better security.
-
@BRRABill said:
HIPAA is all about reasonable protection, as you know. Dropping mail into a USPS box is a reasonable way of securing that data.
No, it is not at all. Not in the least. No security professional would ever accept that as secure in the slightest or call that any attempt at security. That's where HIPAA is a joke and a scam. That's laughable. That's so unsecure that there is almost nothing in the world less secure short of putting the data onto a billboard.
This alone proves that HIPAA has no purpose but to collect revenue. There is no condition under which anyone can honestly call putting something out in the open "reasonably secure." It is the very definition of having taken "zero effort."
Likewise HIPAA often allows unencrypted, unsecured phone and fax communications. All three of what we consider the most insecure ways to communicate - all just fine under HIPAA.
That's why HIPAA auditors and security people never overlap. They have no place together.
-
@BRRABill said:
Healthcare companies that have actual important data to protect, yet aren't under the HIPAA umbrella I have found generally have WAAAAAAAAAAAAAY better security.
Absolutely, HIPAA actively undermines security by providing excuses for not needing what the industry considers reasonable baselines.
-
@BRRABill said:
Again, if you were sending top secret documents, you wouldn't do that. However, that is not what HIPAA is all about.
HIPAA is literally allowing lower security than we use for sending little kids birthday money!
-
@scottalanmiller said:
No, it is not at all. Not in the least. No security professional would ever accept that as secure in the slightest or call that any attempt at security. That's where HIPAA is a joke and a scam. That's laughable. That's so unsecure that there is almost nothing in the world less secure short of putting the data onto a billboard.
This alone proves that HIPAA has no purpose but to collect revenue. There is no condition under which anyone can honestly call putting something out in the open "reasonably secure." It is the very definition of having taken "zero effort."
Likewise HIPAA often allows unencrypted, unsecured phone and fax communications. All three of what we consider the most insecure ways to communicate - all just fine under HIPAA.
That's why HIPAA auditors and security people never overlap. They have no place together.
I think you missed my point.
The guidelines state the security only has to be reasonable. I'm not saying in any way it has to be good.
For example, what is reasonable for a 1 person shop and a healthcare conglomerate, DEALING WITH THE SAME PHI (emphasized to point out the stupidity, not arguing with you!! ) are totally different.
-
@BRRABill said:
I think you missed my point.
The guidelines state the security only has to be reasonable. I'm not saying in any way it has to be good.
I did not miss it. My point was that this wasn't, in any way, reasonable. It's the very definition, to anyone outside of HIPAA, to what isn't considered reasonable. If you were in an organization where someone said "we need to implement some super basic security because zero security isn't quite enough" we'd already be far and away past what HIPAA allows. It's at the "zero security" baseline and no more.
-
@BRRABill said:
For example, what is reasonable for a 1 person shop and a healthcare conglomerate, DEALING WITH THE SAME PHI (emphasized to point out the stupidity, not arguing with you!! ) are totally different.
Agreed, a one person shop can easily outsecure a big one with nearly zero effort.
But in neither case is using public mail, unsecured phones or faxing in any way reasonable to claim that security was not completely bypassed.
-
@scottalanmiller said:
I did not miss it. My point was that this wasn't, in any way, reasonable. It's the very definition, to anyone outside of HIPAA, to what isn't considered reasonable. If you were in an organization where someone said "we need to implement some super basic security because zero security isn't quite enough" we'd already be far and away past what HIPAA allows. It's at the "zero security" baseline and no more.
I'm making the argument from the HIPAA side. I'm not saying I agree with it.
-
It's important to remember that while HIPAA states "reasonable security" they mean nothing of the sort. They expect extreme security is some regards and less than zero in others. It's all random and logic doesn't play in too much.
For example, does data need to be encrypted at rest? Does this include on paper? Does it include in the mail?
-
@scottalanmiller said:
It's important to remember that while HIPAA states "reasonable security" they mean nothing of the sort. They expect extreme security is some regards and less than zero in others. It's all random and logic doesn't play in too much.
For example, does data need to be encrypted at rest? Does this include on paper? Does it include in the mail?
Can you encrypt paper?
-
@BRRABill said:
@scottalanmiller said:
It's important to remember that while HIPAA states "reasonable security" they mean nothing of the sort. They expect extreme security is some regards and less than zero in others. It's all random and logic doesn't play in too much.
For example, does data need to be encrypted at rest? Does this include on paper? Does it include in the mail?
Can you encrypt paper?
Yes, they have been doing it since the time of the Romans if not earlier.
-
@BRRABill said:
@scottalanmiller said:
It's important to remember that while HIPAA states "reasonable security" they mean nothing of the sort. They expect extreme security is some regards and less than zero in others. It's all random and logic doesn't play in too much.
For example, does data need to be encrypted at rest? Does this include on paper? Does it include in the mail?
Can you encrypt paper?
Of course, ever seen a decoder ring?
-
@coliver said:
@BRRABill said:
@scottalanmiller said:
It's important to remember that while HIPAA states "reasonable security" they mean nothing of the sort. They expect extreme security is some regards and less than zero in others. It's all random and logic doesn't play in too much.
For example, does data need to be encrypted at rest? Does this include on paper? Does it include in the mail?
Can you encrypt paper?
Yes, they have been doing it since the time of the Romans if not earlier.
Maybe they did is long before but were so good at it that we don't know
-
Really, disks are just like paper. Everything is written down in plain sight. If you can do it on disk, you can do it on paper.
-
A SED is like a decoder ring!
The thing is that the paper shouldn't just be left out in the open.
Now if you are saying they put it in a folder, and then the folder gets stolen, well then yes, that is an issue. An issue I have no way of knowing how to work around. (I didn't deal with any walking paper in our HIPAA stuff.)
But it is not reasonable to think you'd "encrypt" paper. You would do whatever reasonable things you could do to protect it. Lock it up a rest, and keep it from being stolen if it is out on the town.
It is certainly reasonable to think you'd encrypt a laptop. Which is why OCR doesn't consider it a violation, and why places like the hospital in that article have 1000s of machines using SEDs.
-
@BRRABill said:
But it is not reasonable to think you'd "encrypt" paper. You would do whatever reasonable things you could do to protect it. Lock it up a rest, and keep it from being stolen if it is out on the town.
What would make paper and disk different? Given that they are effectively identical, why is one reasonable and the other not? If you think disks should be encrypted, wouldn't that imply that all paper should just be encrypted? It's local so... why not?
-
@BRRABill said:
It is certainly reasonable to think you'd encrypt a laptop.
Why, you just said that paper was not reasonable to encrypt. The logic that makes paper need to be insecure would extend to the laptop, right?
-
@scottalanmiller said:
What would make paper and disk different? Given that they are effectively identical, why is one reasonable and the other not? If you think disks should be encrypted, wouldn't that imply that all paper should just be encrypted? It's local so... why not?
Because there is no reasonable way to encrypt paper.
There is a very reasonable, easy-to-use, and inexpensive way to encrypt disks that I have demonstrated healthcare organizations use.
-
@scottalanmiller said:
@BRRABill said:
It is certainly reasonable to think you'd encrypt a laptop.
Why, you just said that paper was not reasonable to encrypt. The logic that makes paper need to be insecure would extend to the laptop, right?
Sure, it would be reasonable if it was possible.
If you are implying you cipher the text on the page, well, again that's not reasonable because how could anymore read it?
WIth a SED, the user has to do nothing more than they are used to doing, which is log in to their machine.
One is impossible, and silly.
The other is widely used, and acceptable to the only organization that matters in the HIPAA fine discussing, the OCR.