Local Encryption ... Why Not?
-
@BRRABill said:
@Dashrender said:
The law does not require PHI to be encrypted at rest.... only highly recommended by the OCR, not the law.
Yes, but if you don't, you'd better have a good reason why not.
Good luck getting a doctor to do that. Literally have never met a doctor or medical "professional" that would be willing to do anything like this. The discussions around here talk about what doctors won't do all of the time. Implementing things that they work around (putting passwords on the device or in the bag) are the same as not doing them at all. I'd rather show that I went beyond the level of security required rather than putting data at risk to do what "seemed likely to trick the judge."
-
@BRRABill said:
I did a few quick Google searches, and it appears you cannot use the password to decrypt it if the drive is not in the device. It has to be in the device.
I wonder how that works. What aspect of the device makes it work that way. Complex encrypted salt on another chip?
-
@scottalanmiller said:
How does one prove that encryption was enabled and what kind it was after a device has been exposed? How do you prove the password was hard enough to guess but not in any way stored with the device?
In a facility like that (they are now over 1250 laptops with this, I saw in a difference article) it's all centrally monitored. Once the encryption is turned on, the users cannot turn it off. Same with me ... my single users cannot disable it.
HIPAA is all about process. The process is to encrypt the drive before the user gets it. There is thus no way to turn off the encryption.
-
@scottalanmiller said:
I wonder how that works. What aspect of the device makes it work that way. Complex encrypted salt on another chip?
http://blog.cryptographyengineering.com/2014/10/why-cant-apple-decrypt-your-iphone.html
-
@BRRABill said:
HIPAA is all about process. The process is to encrypt the drive before the user gets it. There is thus no way to turn off the encryption.
You can show a process and that it would be a bit of a pain. But if I get one of your laptops, take it to Staples and ask them to upgrade the drive for me... would I not get a laptop, with zero technical knowledge, encryption removed, fully migrated?
-
@scottalanmiller said:
Good luck getting a doctor to do that. Literally have never met a doctor or medical "professional" that would be willing to do anything like this. The discussions around here talk about what doctors won't do all of the time. Implementing things that they work around (putting passwords on the device or in the bag) are the same as not doing them at all. I'd rather show that I went beyond the level of security required rather than putting data at risk to do what "seemed likely to trick the judge."
But here at ML we're always talking about educating the users.
Wouldn't it be an easier sell to have their staff enter a password upon reboot, then to have to totally change all their procedures to not store stuff on their laptops, which we also know they always do?
-
@scottalanmiller said:
You can show a process and that it would be a bit of a pain. But if I get one of your laptops, take it to Staples and ask them to upgrade the drive for me... would I not get a laptop, with zero technical knowledge, encryption removed, fully migrated?
No, the drive is not readable without the password. In fact, you can't even reformat the thing. It's useless.
If I pull the drive, the only way to access it in another machine is to install the ESC software, and unlock it with the username and password.
-
@BRRABill said:
Wouldn't it be an easier sell to have their staff enter a password upon reboot, then to have to totally change all their procedures to not store stuff on their laptops, which we also know they always do?
Plus, even though there are risks (there's that word again!!!) to doing so, you could enable Bitlocker, and install the password into the TPM. No need for the staff to ever enter it. The drive would then be useless to thief outside of the server.
-
@BRRABill said:
@scottalanmiller said:
I wonder how that works. What aspect of the device makes it work that way. Complex encrypted salt on another chip?
http://blog.cryptographyengineering.com/2014/10/why-cant-apple-decrypt-your-iphone.html
I consider 30 minutes to crack pretty trivial.
(Apple pegs such cracking attempts at 5 1/2 years for a random 6-character password consisting of lowercase letters and numbers. PINs will obviously take much less time, sometimes as little as half an hour. Choose a good passphrase!)
-
@scottalanmiller said:
(Apple pegs such cracking attempts at 5 1/2 years for a random 6-character password consisting of lowercase letters and numbers. PINs will obviously take much less time, sometimes as little as half an hour. Choose a good passphrase!)
That's assuming you don't have your device set up to wipe after 10 attempts.
The article was demonstrating (I think?) that you cannot do anything to the drive if you pull it from the iPad or iPhone. Isn't that was we were wondering about?
-
@BRRABill said:
@scottalanmiller said:
Good luck getting a doctor to do that. Literally have never met a doctor or medical "professional" that would be willing to do anything like this. The discussions around here talk about what doctors won't do all of the time. Implementing things that they work around (putting passwords on the device or in the bag) are the same as not doing them at all. I'd rather show that I went beyond the level of security required rather than putting data at risk to do what "seemed likely to trick the judge."
But here at ML we're always talking about educating the users.
Wouldn't it be an easier sell to have their staff enter a password upon reboot, then to have to totally change all their procedures to not store stuff on their laptops, which we also know they always do?
I doubt it. Users are already used to not storing stuff on their laptops. Move to Chromebooks and they can't store stuff there. The NJ medical guy's personal opinion that he can't stop people storing stuff is just because he doesn't know how to manage his systems. Stopping local storage is not hard if you want to do it. It will happen automatically in a lot of cases. No one in my in laws store locally and I didn't even have to educate them. Just showed them new devices and they glommed onto the ease of use never realizing how they just became more protected and more secure.
-
@BRRABill said:
@scottalanmiller said:
You can show a process and that it would be a bit of a pain. But if I get one of your laptops, take it to Staples and ask them to upgrade the drive for me... would I not get a laptop, with zero technical knowledge, encryption removed, fully migrated?
No, the drive is not readable without the password. In fact, you can't even reformat the thing. It's useless.
If I pull the drive, the only way to access it in another machine is to install the ESC software, and unlock it with the username and password.
But I don't need to do that, right? Just back it up from inside the running OS unencrypted and the encryption isn't on at the time of the data being pulled. right?
-
@BRRABill said:
@scottalanmiller said:
(Apple pegs such cracking attempts at 5 1/2 years for a random 6-character password consisting of lowercase letters and numbers. PINs will obviously take much less time, sometimes as little as half an hour. Choose a good passphrase!)
That's assuming you don't have your device set up to wipe after 10 attempts.
The article was demonstrating (I think?) that you cannot do anything to the drive if you pull it from the iPad or iPhone. Isn't that was we were wondering about?
That was, I thought, the time to decrypt after you pulled it from the device. That's your "uncrackable" time.
-
@scottalanmiller said:
But I don't need to do that, right? Just back it up from inside the running OS unencrypted and the encryption isn't on at the time of the data being pulled. right?
The server is protected by a strong password. How are you going to get access to it?
-
@BRRABill said:
@scottalanmiller said:
But I don't need to do that, right? Just back it up from inside the running OS unencrypted and the encryption isn't on at the time of the data being pulled. right?
The server is protected by a strong password. How are you going to get access to it?
We are talking about end user devices, right? Or servers too?
If we are talking about a server and assuming that it cannot be accessed, what is the purpose of the encryption?
-
@scottalanmiller said:
That was, I thought, the time to decrypt after you pulled it from the device. That's your "uncrackable" time.
I read that as you could not do any encryption without the device itself.
From Apple:
"The UID allows data to be cryptographically tied to a particular device. For example,
the key hierarchy protecting the file system includes the UID, so if the memory chips
are physically moved from one device to another, the files are inaccessible. The UID is
not related to any other identifier on the device." -
@scottalanmiller said:
We are talking about end user devices, right? Or servers too?
If we are talking about a server and assuming that it cannot be accessed, what is the purpose of the encryption?
Well, we could be talking about either.
End users devices I say should always be encrypted.
Devices we can lock down, I can see your argument a little bit more. In that it was behind three locked door with a security system.
But there are still ways around it. For example, our landlord has keys to every door in my office. THey might let a cledaning crew it, etc. etc., etc..
-
@BRRABill said:
Well, we could be talking about either.
Though like I think I said I agree 100% they are definitely different use cases here.
-
I read through that Apple security document. Man, is there a lot of stuff in there that they do. No wonder it costs so much!
-
@scottalanmiller said:
@BRRABill said:
@scottalanmiller said:
Judge: "If the system was secure, why was it encrypted?"
You: "Just in case our users started storing data locally."
Judge: "And you don't feel that encrypting the drive suggests that you support that action and enable it by making it seem like you intend for them to put PHI there?"
You: "Ummm... but I didn't tell them to put it there."Judge: Were you aware that sensitive data was on the machine?
Me: Yes, that is why we installed a self-encrypting drive. As you know, sir, drives with this technology that are lost are not considered breaches.
Judge: Oh, that's right. Thank you and have a nice day!That's fine except for one thing - since when is lost data not considered a breach when encrypted? That's news to me and I'm sure would be big news to most of the American public. Why is encryption considered an exception to security and privacy norms?
Pretty sure the OCR has stated that it is not considered a breach when encrypted drives are lost.
