ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Local Encryption ... Why Not?

    Scheduled Pinned Locked Moved IT Discussion
    357 Posts 15 Posters 190.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller @BRRABill
      last edited by

      @BRRABill said:

      I think you missed my point.

      The guidelines state the security only has to be reasonable. I'm not saying in any way it has to be good.

      I did not miss it. My point was that this wasn't, in any way, reasonable. It's the very definition, to anyone outside of HIPAA, to what isn't considered reasonable. If you were in an organization where someone said "we need to implement some super basic security because zero security isn't quite enough" we'd already be far and away past what HIPAA allows. It's at the "zero security" baseline and no more.

      BRRABillB 1 Reply Last reply Reply Quote 0
      • scottalanmillerS
        scottalanmiller @BRRABill
        last edited by

        @BRRABill said:

        For example, what is reasonable for a 1 person shop and a healthcare conglomerate, DEALING WITH THE SAME PHI (emphasized to point out the stupidity, not arguing with you!! 🙂 ) are totally different.

        Agreed, a one person shop can easily outsecure a big one with nearly zero effort.

        But in neither case is using public mail, unsecured phones or faxing in any way reasonable to claim that security was not completely bypassed.

        1 Reply Last reply Reply Quote 0
        • BRRABillB
          BRRABill @scottalanmiller
          last edited by

          @scottalanmiller said:

          I did not miss it. My point was that this wasn't, in any way, reasonable. It's the very definition, to anyone outside of HIPAA, to what isn't considered reasonable. If you were in an organization where someone said "we need to implement some super basic security because zero security isn't quite enough" we'd already be far and away past what HIPAA allows. It's at the "zero security" baseline and no more.

          I'm making the argument from the HIPAA side. I'm not saying I agree with it.

          1 Reply Last reply Reply Quote 0
          • scottalanmillerS
            scottalanmiller
            last edited by

            It's important to remember that while HIPAA states "reasonable security" they mean nothing of the sort. They expect extreme security is some regards and less than zero in others. It's all random and logic doesn't play in too much.

            For example, does data need to be encrypted at rest? Does this include on paper? Does it include in the mail?

            BRRABillB 1 Reply Last reply Reply Quote 0
            • BRRABillB
              BRRABill @scottalanmiller
              last edited by

              @scottalanmiller said:

              It's important to remember that while HIPAA states "reasonable security" they mean nothing of the sort. They expect extreme security is some regards and less than zero in others. It's all random and logic doesn't play in too much.

              For example, does data need to be encrypted at rest? Does this include on paper? Does it include in the mail?

              Can you encrypt paper?

              coliverC scottalanmillerS 2 Replies Last reply Reply Quote 0
              • coliverC
                coliver @BRRABill
                last edited by

                @BRRABill said:

                @scottalanmiller said:

                It's important to remember that while HIPAA states "reasonable security" they mean nothing of the sort. They expect extreme security is some regards and less than zero in others. It's all random and logic doesn't play in too much.

                For example, does data need to be encrypted at rest? Does this include on paper? Does it include in the mail?

                Can you encrypt paper?

                Yes, they have been doing it since the time of the Romans if not earlier.

                scottalanmillerS 1 Reply Last reply Reply Quote 0
                • scottalanmillerS
                  scottalanmiller @BRRABill
                  last edited by

                  @BRRABill said:

                  @scottalanmiller said:

                  It's important to remember that while HIPAA states "reasonable security" they mean nothing of the sort. They expect extreme security is some regards and less than zero in others. It's all random and logic doesn't play in too much.

                  For example, does data need to be encrypted at rest? Does this include on paper? Does it include in the mail?

                  Can you encrypt paper?

                  Of course, ever seen a decoder ring?

                  1 Reply Last reply Reply Quote 0
                  • scottalanmillerS
                    scottalanmiller @coliver
                    last edited by

                    @coliver said:

                    @BRRABill said:

                    @scottalanmiller said:

                    It's important to remember that while HIPAA states "reasonable security" they mean nothing of the sort. They expect extreme security is some regards and less than zero in others. It's all random and logic doesn't play in too much.

                    For example, does data need to be encrypted at rest? Does this include on paper? Does it include in the mail?

                    Can you encrypt paper?

                    Yes, they have been doing it since the time of the Romans if not earlier.

                    Maybe they did is long before but were so good at it that we don't know 😉

                    1 Reply Last reply Reply Quote 0
                    • scottalanmillerS
                      scottalanmiller
                      last edited by

                      Really, disks are just like paper. Everything is written down in plain sight. If you can do it on disk, you can do it on paper.

                      1 Reply Last reply Reply Quote 0
                      • BRRABillB
                        BRRABill
                        last edited by

                        A SED is like a decoder ring!

                        The thing is that the paper shouldn't just be left out in the open.

                        Now if you are saying they put it in a folder, and then the folder gets stolen, well then yes, that is an issue. An issue I have no way of knowing how to work around. (I didn't deal with any walking paper in our HIPAA stuff.)

                        But it is not reasonable to think you'd "encrypt" paper. You would do whatever reasonable things you could do to protect it. Lock it up a rest, and keep it from being stolen if it is out on the town.

                        It is certainly reasonable to think you'd encrypt a laptop. Which is why OCR doesn't consider it a violation, and why places like the hospital in that article have 1000s of machines using SEDs.

                        scottalanmillerS 2 Replies Last reply Reply Quote 0
                        • scottalanmillerS
                          scottalanmiller @BRRABill
                          last edited by

                          @BRRABill said:

                          But it is not reasonable to think you'd "encrypt" paper. You would do whatever reasonable things you could do to protect it. Lock it up a rest, and keep it from being stolen if it is out on the town.

                          What would make paper and disk different? Given that they are effectively identical, why is one reasonable and the other not? If you think disks should be encrypted, wouldn't that imply that all paper should just be encrypted? It's local so... why not?

                          BRRABillB 1 Reply Last reply Reply Quote 0
                          • scottalanmillerS
                            scottalanmiller @BRRABill
                            last edited by

                            @BRRABill said:

                            It is certainly reasonable to think you'd encrypt a laptop.

                            Why, you just said that paper was not reasonable to encrypt. The logic that makes paper need to be insecure would extend to the laptop, right?

                            BRRABillB 1 Reply Last reply Reply Quote 0
                            • BRRABillB
                              BRRABill @scottalanmiller
                              last edited by

                              @scottalanmiller said:

                              What would make paper and disk different? Given that they are effectively identical, why is one reasonable and the other not? If you think disks should be encrypted, wouldn't that imply that all paper should just be encrypted? It's local so... why not?

                              Because there is no reasonable way to encrypt paper.

                              There is a very reasonable, easy-to-use, and inexpensive way to encrypt disks that I have demonstrated healthcare organizations use.

                              scottalanmillerS 1 Reply Last reply Reply Quote 0
                              • BRRABillB
                                BRRABill @scottalanmiller
                                last edited by

                                @scottalanmiller said:

                                @BRRABill said:

                                It is certainly reasonable to think you'd encrypt a laptop.

                                Why, you just said that paper was not reasonable to encrypt. The logic that makes paper need to be insecure would extend to the laptop, right?

                                Sure, it would be reasonable if it was possible.

                                If you are implying you cipher the text on the page, well, again that's not reasonable because how could anymore read it?

                                WIth a SED, the user has to do nothing more than they are used to doing, which is log in to their machine.

                                One is impossible, and silly.

                                The other is widely used, and acceptable to the only organization that matters in the HIPAA fine discussing, the OCR.

                                scottalanmillerS 1 Reply Last reply Reply Quote 0
                                • BRRABillB
                                  BRRABill
                                  last edited by

                                  You can see, there are many safeguards with paper as well.

                                  But since there is no way to encrypt paper, it doesn't apply.

                                  http://privacyoffice.med.miami.edu/awareness/tips/protect-paper-records-with-sensitive-information

                                  scottalanmillerS 1 Reply Last reply Reply Quote 0
                                  • scottalanmillerS
                                    scottalanmiller @BRRABill
                                    last edited by

                                    @BRRABill said:

                                    @scottalanmiller said:

                                    What would make paper and disk different? Given that they are effectively identical, why is one reasonable and the other not? If you think disks should be encrypted, wouldn't that imply that all paper should just be encrypted? It's local so... why not?

                                    Because there is no reasonable way to encrypt paper.

                                    There is a very reasonable, easy-to-use, and inexpensive way to encrypt disks that I have demonstrated healthcare organizations use.

                                    That's debatable. Encrypting data is only easy as long as you decrypt it and leave it unprotected when going to the end user. Encrypt that data end to end and it gets very hard.

                                    1 Reply Last reply Reply Quote 0
                                    • scottalanmillerS
                                      scottalanmiller @BRRABill
                                      last edited by

                                      @BRRABill said:

                                      @scottalanmiller said:

                                      @BRRABill said:

                                      It is certainly reasonable to think you'd encrypt a laptop.

                                      Why, you just said that paper was not reasonable to encrypt. The logic that makes paper need to be insecure would extend to the laptop, right?

                                      Sure, it would be reasonable if it was possible.

                                      If you are implying you cipher the text on the page, well, again that's not reasonable because how could anymore read it?

                                      WIth a SED, the user has to do nothing more than they are used to doing, which is log in to their machine.

                                      One is impossible, and silly.

                                      The other is widely used, and acceptable to the only organization that matters in the HIPAA fine discussing, the OCR.

                                      Impossible? It's literally identical to the digital way. It's VERY possible. if it was not, computers could not do it either.

                                      1 Reply Last reply Reply Quote 0
                                      • scottalanmillerS
                                        scottalanmiller @BRRABill
                                        last edited by

                                        @BRRABill said:

                                        You can see, there are many safeguards with paper as well.

                                        But since there is no way to encrypt paper, it doesn't apply.

                                        http://privacyoffice.med.miami.edu/awareness/tips/protect-paper-records-with-sensitive-information

                                        There is EVERY way to encrypt paper. We can all do it. Kids do it every day. Saying that this is all not true doesn't make it untrue.

                                        1 Reply Last reply Reply Quote 1
                                        • scottalanmillerS
                                          scottalanmiller
                                          last edited by

                                          I totally understand that one system is more automated than the other and it is easier to use computers than not to use computers, but we are already going to the high effort paper world here. ALL security that applies to a drive applies to paper, all, no exceptions. They are the same type of thing (bits on physical media.) You can, at any point, print disk data to paper and vice versa. They are interchangeable.

                                          But it would be trivially easy to put in a little encryption on paper end to end. Super easy. But we don't bother, we just ignore security there.

                                          Although it needs to be pointed out, we don't encrypt anything digitally end to end, but we take it much farther.

                                          1 Reply Last reply Reply Quote 0
                                          • scottalanmillerS
                                            scottalanmiller
                                            last edited by

                                            I understand in the HIPAA world because security is not a related topic and laws are, it's probably worth encrypting local drives, even if we lose data, because we don't care about losing data, we care about getting sued. But it is really important to understand that the reasons we do it for HIPAA are not security related and that HIPAA discussions don't apply to non-HIPAA discussions.

                                            BRRABillB 1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 13
                                            • 14
                                            • 15
                                            • 16
                                            • 17
                                            • 18
                                            • 15 / 18
                                            • First post
                                              Last post