ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Local Encryption ... Why Not?

    Scheduled Pinned Locked Moved IT Discussion
    357 Posts 15 Posters 190.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DashrenderD
      Dashrender @BRRABill
      last edited by

      @BRRABill said:

      @Dashrender said:

      But Scott's point is still valid. Once you print the paper the information is no longer secure. it can go anywhere, everywhere with no tracking.

      Not really. It is still trackable, and considered secure in the US Mail since it is a federal violation to tamper with that.

      what if you don't put it in an envelope? What if you just take it home? what if you make a copy of it? once you have that printout.. you can do anything you want with it.

      BRRABillB DashrenderD 2 Replies Last reply Reply Quote 0
      • BRRABillB
        BRRABill @Dashrender
        last edited by

        @Dashrender said:

        what if you don't put it in an envelope? What if you just take it home? what if you make a copy of it? once you have that printout.. you can do anything you want with it.

        If it is paper with PHI, it still has to be protected.

        For example, we have questionnaires where the respondent MIGHT put their name on. SO we have to log it into our building, and secure it in a locked cabinet in a locked room.

        Just because it is paper doesn't mean you can lose track of it.

        DashrenderD 1 Reply Last reply Reply Quote 0
        • DashrenderD
          Dashrender @Dashrender
          last edited by

          @Dashrender said:

          @BRRABill said:

          @Dashrender said:

          But Scott's point is still valid. Once you print the paper the information is no longer secure. it can go anywhere, everywhere with no tracking.

          Not really. It is still trackable, and considered secure in the US Mail since it is a federal violation to tamper with that.

          what if you don't put it in an envelope? What if you just take it home? what if you make a copy of it? once you have that printout.. you can do anything you want with it.

          Does this mean we can't use it? Of course not, we have to believe that our staff is trustworthy, or we have to get rid of them. Scott's main point, at least as I saw it, was to simply make you aware of this situation, not to make you worried about it.

          1 Reply Last reply Reply Quote 0
          • DashrenderD
            Dashrender @BRRABill
            last edited by

            @BRRABill said:

            @Dashrender said:

            what if you don't put it in an envelope? What if you just take it home? what if you make a copy of it? once you have that printout.. you can do anything you want with it.

            If it is paper with PHI, it still has to be protected.

            For example, we have questionnaires where the respondent MIGHT put their name on. SO we have to log it into our building, and secure it in a locked cabinet in a locked room.

            Just because it is paper doesn't mean you can lose track of it.

            You're kidding right? not lose track? We (and all of the hospitals we are part of) print countless things from EHRs, etc. Those prints never flow through any kind of tracking. 99% of the time they are printed, read and then simply put into a shred bin. Nothing stops someone from just taking things out of that bin and taking it home..

            BRRABillB 1 Reply Last reply Reply Quote 0
            • BRRABillB
              BRRABill @Dashrender
              last edited by

              @Dashrender said:

              You're kidding right? not lose track? We (and all of the hospitals we are part of) print countless things from EHRs, etc. Those prints never flow through any kind of tracking. 99% of the time they are printed, read and then simply put into a shred bin. Nothing stops someone from just taking things out of that bin and taking it home..

              No, I'm not kidding. Not from my understanding of HIPAA.

              Maybe not tracking, but you can't just print a bunch of stuff and then leave it wherever. There has to be aprocess from the printing through the proper disposal, which yes includes very fine shredding.

              scottalanmillerS 1 Reply Last reply Reply Quote 0
              • scottalanmillerS
                scottalanmiller @BRRABill
                last edited by

                @BRRABill said:

                @Dashrender said:

                But Scott's point is still valid. Once you print the paper the information is no longer secure. it can go anywhere, everywhere with no tracking.

                Not really. It is still trackable, and considered secure in the US Mail since it is a federal violation to tamper with that.

                It's also a federal crime to socially engineer someone to get access to their computers. Or to just hack in at all. But I don't think that holds up for not securing the data.

                BRRABillB 1 Reply Last reply Reply Quote 0
                • scottalanmillerS
                  scottalanmiller @BRRABill
                  last edited by

                  @BRRABill said:

                  @Dashrender said:

                  How is your copier HIPPA compliant? Because the drive is encrypted and requires a username/password to get into the drive? Sure that makes it HIPPA compliant, but does not make it secure. If this was a high value target, someone could install a tap on the network connection and probably capture the prints in transit. I'm not aware of any printer that has a driver that uses SSL, though I'm sure there are some out there today.

                  Here is a link to the brand we have.

                  https://www.konicaminolta.eu/fileadmin/content/eu/Business_Solutions/Products/Security/PDF/SECURITY_WHITEPAPER.pdf

                  Though I am pretty sure if your network is secured, encryption to the copier is not a big deal. It more the hard drive in case it gets traded back in, as in the 1.7 million dollar fine I mentioned earlier for leaving PHI on copiers.

                  We could say all of that about desktops, laptops, etc. I'd generally agree with you. But only insofar as a printer would need any and all protection that a laptop would. If you feel a laptop would need to be encrypted, then a printer surely would since it would generally have many fewer protections and be way easier to steal in most cases.

                  1 Reply Last reply Reply Quote 0
                  • scottalanmillerS
                    scottalanmiller @BRRABill
                    last edited by

                    @BRRABill said:

                    @Dashrender said:

                    You're kidding right? not lose track? We (and all of the hospitals we are part of) print countless things from EHRs, etc. Those prints never flow through any kind of tracking. 99% of the time they are printed, read and then simply put into a shred bin. Nothing stops someone from just taking things out of that bin and taking it home..

                    No, I'm not kidding. Not from my understanding of HIPAA.

                    Maybe not tracking, but you can't just print a bunch of stuff and then leave it wherever. There has to be aprocess from the printing through the proper disposal, which yes includes very fine shredding.

                    Actually the shredding doesn't have to be fine or even destroy the data, sadly. Once you "moderately mangle it" it's considered enough effort. One of my big complaints about HIPAA, it's a scam and does nothing to protect against data leakage.

                    BRRABillB 1 Reply Last reply Reply Quote 0
                    • BRRABillB
                      BRRABill @scottalanmiller
                      last edited by

                      @scottalanmiller said:

                      It's also a federal crime to socially engineer someone to get access to their computers. Or to just hack in at all. But I don't think that holds up for not securing the data.

                      A majority of these breaches happen with theft and loss.

                      HIPAA is all about reasonable protection, as you know. Dropping mail into a USPS box is a reasonable way of securing that data.

                      Again, if you were sending top secret documents, you wouldn't do that. However, that is not what HIPAA is all about.

                      scottalanmillerS 2 Replies Last reply Reply Quote 0
                      • BRRABillB
                        BRRABill @scottalanmiller
                        last edited by

                        @scottalanmiller said:

                        Actually the shredding doesn't have to be fine or even destroy the data, sadly. Once you "moderately mangle it" it's considered enough effort. One of my big complaints about HIPAA, it's a scam and does nothing to protect against data leakage.

                        By fine I meant cross-cut. It can't be "easily put back together" in any way.

                        I agree. Total scam.

                        Healthcare companies that have actual important data to protect, yet aren't under the HIPAA umbrella I have found generally have WAAAAAAAAAAAAAY better security.

                        scottalanmillerS 1 Reply Last reply Reply Quote 0
                        • scottalanmillerS
                          scottalanmiller @BRRABill
                          last edited by

                          @BRRABill said:

                          HIPAA is all about reasonable protection, as you know. Dropping mail into a USPS box is a reasonable way of securing that data.

                          No, it is not at all. Not in the least. No security professional would ever accept that as secure in the slightest or call that any attempt at security. That's where HIPAA is a joke and a scam. That's laughable. That's so unsecure that there is almost nothing in the world less secure short of putting the data onto a billboard.

                          This alone proves that HIPAA has no purpose but to collect revenue. There is no condition under which anyone can honestly call putting something out in the open "reasonably secure." It is the very definition of having taken "zero effort."

                          Likewise HIPAA often allows unencrypted, unsecured phone and fax communications. All three of what we consider the most insecure ways to communicate - all just fine under HIPAA.

                          That's why HIPAA auditors and security people never overlap. They have no place together.

                          BRRABillB 1 Reply Last reply Reply Quote 0
                          • scottalanmillerS
                            scottalanmiller @BRRABill
                            last edited by

                            @BRRABill said:

                            Healthcare companies that have actual important data to protect, yet aren't under the HIPAA umbrella I have found generally have WAAAAAAAAAAAAAY better security.

                            Absolutely, HIPAA actively undermines security by providing excuses for not needing what the industry considers reasonable baselines.

                            1 Reply Last reply Reply Quote 0
                            • scottalanmillerS
                              scottalanmiller @BRRABill
                              last edited by

                              @BRRABill said:

                              Again, if you were sending top secret documents, you wouldn't do that. However, that is not what HIPAA is all about.

                              HIPAA is literally allowing lower security than we use for sending little kids birthday money!

                              1 Reply Last reply Reply Quote 1
                              • BRRABillB
                                BRRABill @scottalanmiller
                                last edited by

                                @scottalanmiller said:

                                No, it is not at all. Not in the least. No security professional would ever accept that as secure in the slightest or call that any attempt at security. That's where HIPAA is a joke and a scam. That's laughable. That's so unsecure that there is almost nothing in the world less secure short of putting the data onto a billboard.

                                This alone proves that HIPAA has no purpose but to collect revenue. There is no condition under which anyone can honestly call putting something out in the open "reasonably secure." It is the very definition of having taken "zero effort."

                                Likewise HIPAA often allows unencrypted, unsecured phone and fax communications. All three of what we consider the most insecure ways to communicate - all just fine under HIPAA.

                                That's why HIPAA auditors and security people never overlap. They have no place together.

                                I think you missed my point.

                                The guidelines state the security only has to be reasonable. I'm not saying in any way it has to be good.

                                For example, what is reasonable for a 1 person shop and a healthcare conglomerate, DEALING WITH THE SAME PHI (emphasized to point out the stupidity, not arguing with you!! 🙂 ) are totally different.

                                scottalanmillerS 2 Replies Last reply Reply Quote 0
                                • scottalanmillerS
                                  scottalanmiller @BRRABill
                                  last edited by

                                  @BRRABill said:

                                  I think you missed my point.

                                  The guidelines state the security only has to be reasonable. I'm not saying in any way it has to be good.

                                  I did not miss it. My point was that this wasn't, in any way, reasonable. It's the very definition, to anyone outside of HIPAA, to what isn't considered reasonable. If you were in an organization where someone said "we need to implement some super basic security because zero security isn't quite enough" we'd already be far and away past what HIPAA allows. It's at the "zero security" baseline and no more.

                                  BRRABillB 1 Reply Last reply Reply Quote 0
                                  • scottalanmillerS
                                    scottalanmiller @BRRABill
                                    last edited by

                                    @BRRABill said:

                                    For example, what is reasonable for a 1 person shop and a healthcare conglomerate, DEALING WITH THE SAME PHI (emphasized to point out the stupidity, not arguing with you!! 🙂 ) are totally different.

                                    Agreed, a one person shop can easily outsecure a big one with nearly zero effort.

                                    But in neither case is using public mail, unsecured phones or faxing in any way reasonable to claim that security was not completely bypassed.

                                    1 Reply Last reply Reply Quote 0
                                    • BRRABillB
                                      BRRABill @scottalanmiller
                                      last edited by

                                      @scottalanmiller said:

                                      I did not miss it. My point was that this wasn't, in any way, reasonable. It's the very definition, to anyone outside of HIPAA, to what isn't considered reasonable. If you were in an organization where someone said "we need to implement some super basic security because zero security isn't quite enough" we'd already be far and away past what HIPAA allows. It's at the "zero security" baseline and no more.

                                      I'm making the argument from the HIPAA side. I'm not saying I agree with it.

                                      1 Reply Last reply Reply Quote 0
                                      • scottalanmillerS
                                        scottalanmiller
                                        last edited by

                                        It's important to remember that while HIPAA states "reasonable security" they mean nothing of the sort. They expect extreme security is some regards and less than zero in others. It's all random and logic doesn't play in too much.

                                        For example, does data need to be encrypted at rest? Does this include on paper? Does it include in the mail?

                                        BRRABillB 1 Reply Last reply Reply Quote 0
                                        • BRRABillB
                                          BRRABill @scottalanmiller
                                          last edited by

                                          @scottalanmiller said:

                                          It's important to remember that while HIPAA states "reasonable security" they mean nothing of the sort. They expect extreme security is some regards and less than zero in others. It's all random and logic doesn't play in too much.

                                          For example, does data need to be encrypted at rest? Does this include on paper? Does it include in the mail?

                                          Can you encrypt paper?

                                          coliverC scottalanmillerS 2 Replies Last reply Reply Quote 0
                                          • coliverC
                                            coliver @BRRABill
                                            last edited by

                                            @BRRABill said:

                                            @scottalanmiller said:

                                            It's important to remember that while HIPAA states "reasonable security" they mean nothing of the sort. They expect extreme security is some regards and less than zero in others. It's all random and logic doesn't play in too much.

                                            For example, does data need to be encrypted at rest? Does this include on paper? Does it include in the mail?

                                            Can you encrypt paper?

                                            Yes, they have been doing it since the time of the Romans if not earlier.

                                            scottalanmillerS 1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 17
                                            • 18
                                            • 2 / 18
                                            • First post
                                              Last post