Local Encryption ... Why Not?
-
Remember "Scott's First Rule of Security": The key is to make data more expensive to steal than the data is valuable.
With medical data, especially something like a doctor's office rather than a research facility or big pharma, that is a low threshold and just decently securing a server will cover that.
-
The fact that HIPAA exists is kind of a counter argument to that. Fraud is one of the major reasons for the all of the concern. But I do think you're right, we have little concern that someone will break into clinic offices to steal servers to gain access to that data so they can perform fraud. They have easier ways to fraud the system today.
-
@Dashrender said:
The fact that HIPAA exists is kind of a counter argument to that. Fraud is one of the major reasons for the all of the concern. But I do think you're right, we have little concern that someone will break into clinic offices to steal servers to gain access to that data so they can perform fraud. They have easier ways to fraud the system today.
I don't agree. HIPAA covers casual exposure primarily and is designed around that. I've seen hospitals violate HIPAA because they want to grab data out of their databases to extort money from family members. Kinds of things that encryption won't protect against and big theft isn't the issue. It's getting "simple" access to "things not needed for your job."
-
It's amazing.. that whole limited access thing is something I've seen no health system actually implement.
The comment here is that every staff member who has anything to do with the medical side in one way shape or form (that includes me, the IT guy) needs to have full access to all patient information in order to do our jobs.
Frankly, I'm not sure how you build an easy to use system that limits what nurses and medical assistants can get access to, let along actual providers. Remember that near real time granted access would be a requirement in many cases.
In some health systems I've seen them try to limit who has access by requiring things like a patients SSN as proof they are somehow connected with the patient - but that just doesn't seem right to me.
-
@Dashrender said:
It's amazing.. that whole limited access thing is something I've seen no health system actually implement.
The comment here is that every staff member who has anything to do with the medical side in one way shape or form (that includes me, the IT guy) needs to have full access to all patient information in order to do our jobs.
Frankly, I'm not sure how you build an easy to use system that limits what nurses and medical assistants can get access to, let along actual providers. Remember that near real time granted access would be a requirement in many cases.
In some health systems I've seen them try to limit who has access by requiring things like a patients SSN as proof they are somehow connected with the patient - but that just doesn't seem right to me.
I agree the healthcare system, from small office to large conglomerate is ignoring a lot of this.
Which is exactly why health systems like the one in my article make it simpler by just encrypting the hard drive. Lose a machine, not an issue.
-
@scottalanmiller said:
Um, all the time. You are talking about small businesses like doctors offices. How many have generators or even good UPS? How many accidentally reset gear? This is very common. I've seen it a few times this week already. Maybe you are dealing with much bigger companies that we normally see. Anyone under a few hundred users this is a very common problem.
The ones that I deal with do not have these problems.
The servers do not reboot. (They are all on a UPSes with nice run times.) If they did (for example I had an issue recently with a printer driver rebooting the server in the middle of the day) I got a call immediately. Or I would get an alert the machine was done and call them.
The people I deal with call me, and me exclusively.
Granted, this is not on the scale that some of you deal with, so I can't speak to these other things you talk of.
-
@BRRABill said:
@Dashrender said:
It's amazing.. that whole limited access thing is something I've seen no health system actually implement.
The comment here is that every staff member who has anything to do with the medical side in one way shape or form (that includes me, the IT guy) needs to have full access to all patient information in order to do our jobs.
Frankly, I'm not sure how you build an easy to use system that limits what nurses and medical assistants can get access to, let along actual providers. Remember that near real time granted access would be a requirement in many cases.
In some health systems I've seen them try to limit who has access by requiring things like a patients SSN as proof they are somehow connected with the patient - but that just doesn't seem right to me.
I agree the healthcare system, from small office to large conglomerate is ignoring a lot of this.
Which is exactly why health systems like the one in my article make it simpler by just encrypting the hard drive. Lose a machine, not an issue.
Encrypting data doesn't prevent authorized people from accessing or using data in an unauthorized manor.
-
@Dashrender said:
It's amazing.. that whole limited access thing is something I've seen no health system actually implement.
The comment here is that every staff member who has anything to do with the medical side in one way shape or form (that includes me, the IT guy) needs to have full access to all patient information in order to do our jobs.
Frankly, I'm not sure how you build an easy to use system that limits what nurses and medical assistants can get access to, let along actual providers. Remember that near real time granted access would be a requirement in many cases.
In some health systems I've seen them try to limit who has access by requiring things like a patients SSN as proof they are somehow connected with the patient - but that just doesn't seem right to me.
It's actually insanely easy to build. Views by role is a standard security measure in any modern product. Even Spiceworks does this.
-
@BRRABill said:
@Dashrender said:
It's amazing.. that whole limited access thing is something I've seen no health system actually implement.
The comment here is that every staff member who has anything to do with the medical side in one way shape or form (that includes me, the IT guy) needs to have full access to all patient information in order to do our jobs.
Frankly, I'm not sure how you build an easy to use system that limits what nurses and medical assistants can get access to, let along actual providers. Remember that near real time granted access would be a requirement in many cases.
In some health systems I've seen them try to limit who has access by requiring things like a patients SSN as proof they are somehow connected with the patient - but that just doesn't seem right to me.
I agree the healthcare system, from small office to large conglomerate is ignoring a lot of this.
Which is exactly why health systems like the one in my article make it simpler by just encrypting the hard drive. Lose a machine, not an issue.
But it doesn't address the issues. I've never seen or heard of a HIPAA issue that this would have protected against except in cases of reckless storage of data on end points - often likely because someone was trying to put data into a precarious position.
-
@Jason said:
Encrypting data doesn't prevent authorized people from accessing or using data in an unauthorized manor.
I just looked up the breach report.
https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
It's interesting to note that a majority of the early cases were all from theft. Now they are interspersed with "unauthorized access" which if I had to bet, was due to more healthcare systems encrypting their endpoints. As we discussed, they do not look at an encrypted lost endpoint as a breach.
Are there potential holes in endpoint encryption? Sure. There are holes in anything.
Since we were discussing it, here is an article that states the OCR does not consider the loss of an encrypted endpoint a breach.
http://www.icemiller.com/MediaLibraries/icemiller.com/IceMiller/PDFs/publications/Healthcare-Protect-Confidentiality-Guide.pdf?ext=.pdf -
@scottalanmiller said:
But it doesn't address the issues. I've never seen or heard of a HIPAA issue that this would have protected against except in cases of reckless storage of data on end points - often likely because someone was trying to put data into a precarious position.
They don't need to address the issues.
People can keep working as they are used to, with the tools they need, and are protected by the encryption.
Why reinvent the entire wheel, best practice or not?
-
@BRRABill said:
@scottalanmiller said:
But it doesn't address the issues. I've never seen or heard of a HIPAA issue that this would have protected against except in cases of reckless storage of data on end points - often likely because someone was trying to put data into a precarious position.
They don't need to address the issues.
People can keep working as they are used to, with the tools they need, and are protected by the encryption.
Why reinvent the entire wheel, best practice or not?
Because that is the easiest way to steal data. It's the simplest to protect against also. The current way is about giving an image of security without actual security.
-
@BRRABill said:
@scottalanmiller said:
But it doesn't address the issues. I've never seen or heard of a HIPAA issue that this would have protected against except in cases of reckless storage of data on end points - often likely because someone was trying to put data into a precarious position.
They don't need to address the issues.
People can keep working as they are used to, with the tools they need, and are protected by the encryption.
Why reinvent the entire wheel, best practice or not?
You reinvest the wheel when the existing wheel isn't a good design. Why use the square wheel when the round one could be invested?
-
@BRRABill said:
@scottalanmiller said:
But it doesn't address the issues. I've never seen or heard of a HIPAA issue that this would have protected against except in cases of reckless storage of data on end points - often likely because someone was trying to put data into a precarious position.
They don't need to address the issues.
People can keep working as they are used to, with the tools they need, and are protected by the encryption.
Why reinvent the entire wheel, best practice or not?
Technically, encryption is reinventing the wheel. It only helps when companies are not following standard industry security practices. Not that it is uncommon, but it is the less common. The wheel exists because it is useful.
-
@Jason said:
The current way is about giving an image of security without actual security.
It still hasn't been explained to me how an encrypted hard drive is just an image of security.
-
@scottalanmiller said:
Technically, encryption is reinventing the wheel. It only helps when companies are not following standard industry security practices. Not that it is uncommon, but it is the less common. The wheel exists because it is useful.
So out of the 100% of hospitals in the US ... how many do you think are fully following best practice?
And what percentage would benefit from just encrypting their endpoints?
-
@BRRABill said:
@Jason said:
The current way is about giving an image of security without actual security.
It still hasn't been explained to me how an encrypted hard drive is just an image of security.
We've explained it quite a bit. It's not as secure as the standard "wheel". It encourages lower than normal security and makes it increasingly likely to be insecure.
-
@BRRABill said:
@scottalanmiller said:
Technically, encryption is reinventing the wheel. It only helps when companies are not following standard industry security practices. Not that it is uncommon, but it is the less common. The wheel exists because it is useful.
So out of the 100% of hospitals in the US ... how many do you think are fully following best practice?
And what percentage would benefit from just encrypting their endpoints?
Almost all, Because the majority always do things poorly.
-
@scottalanmiller said:
It encourages lower than normal security and makes it increasingly likely to be insecure.
In no way am I suggesting we throw caution to the wind because we are using a SED.
It is the final security check, and as has been mentioned prevents you from even having to report a breach in HIPAA settings.
Even if I store all my data in the cloud for my personal machine, I'd still like to have the safety net of the SED, juuuuuuuuuust in case one of my programs isn't working quite the way it supposed to. Now I know all of our programs and products work exactly as they should, and there is no chance of there being any sensitive data on there. (<= DEEP DEEP SARCASM.)
-
@scottalanmiller said:
@Dashrender said:
It's amazing.. that whole limited access thing is something I've seen no health system actually implement.
The comment here is that every staff member who has anything to do with the medical side in one way shape or form (that includes me, the IT guy) needs to have full access to all patient information in order to do our jobs.
Frankly, I'm not sure how you build an easy to use system that limits what nurses and medical assistants can get access to, let along actual providers. Remember that near real time granted access would be a requirement in many cases.
In some health systems I've seen them try to limit who has access by requiring things like a patients SSN as proof they are somehow connected with the patient - but that just doesn't seem right to me.
It's actually insanely easy to build. Views by role is a standard security measure in any modern product. Even Spiceworks does this.
Yes sure roles - of course, but in every situation I've seen, the roles of those who 'need' access to patient data, allow full unfettered access to every patient the hospital has on their system (with rare exception - I've seen some systems have a VIP tag for celebrities. this tag would prevent anyone but senior people to have access to those few records, but, the general public... the staff have full access.)
What I'm talking about is - nurse ratchet should only be able to see the patients that her assigned physician is seeing today - or if she's in a call center, accessing the record would require some kind of release from the patient, etc.
Sure we have roles, but really, they are nearly pointless.