Local Encryption ... Why Not?

BRRABill

@scottalanmiller said:

Goal: Print Labels

Solution: Pull data from the service to print labels. Why do you need all data pulled down locally to do that? If I am using an application like Spiceworks I don't need to do that. If I am using excel I don't need to do that. Sure, some apps don't work well for this, but that is what we are potentially looking to address, right?

We happen to use Sharefile for Healthcare for our PHI transfer.

I'd have to get the file from there to Excel somehow.

BRRABill

@Dashrender said:

Well, if you are working with something like O365 and ODfB and SharePoint, you don't download it in the traditional sense. it's downloaded to your application where you do what you need.. when you close it.. the temp files are deleted by default and the file is saved back to the cloud where you go it, all automagically.

Are we sure about that?

And if we were ever brought before a judge, are we sure "O365 said it deleted my files when i was done" is a better response than "My entire drive is encrypted"?

scottalanmiller

@Dashrender said:

@BRRABill said:

In your "all on the cloud" example...

Let's say a covered entity transfers a file of mailing addresses (PHI, obviously) to me. It stored on a HIPAA-compliant cloud service, so no issues there. I want to bring down the file to locally make labels and print on my machine.

How does this work? I assume you'd download it, do your work, and then delete all instances?

I guess in this scenario, I could use a product like "Deep Freeze" so there is NEVER any data on there. But that is a very limited case.

Well, if you are working with something like O365 and ODfB and SharePoint, you don't download it in the traditional sense. it's downloaded to your application where you do what you need.. when you close it.. the temp files are deleted by default and the file is saved back to the cloud where you go it, all automagically.

And if it was important, in theory the app could be encrypting any local data too. Not saying that apps are doing that today, but no reason that they would not.

scottalanmiller

@BRRABill said:

@Dashrender said:

Well, if you are working with something like O365 and ODfB and SharePoint, you don't download it in the traditional sense. it's downloaded to your application where you do what you need.. when you close it.. the temp files are deleted by default and the file is saved back to the cloud where you go it, all automagically.

Are we sure about that?

And if we were ever brought before a judge, are we sure "O365 said it deleted my files when i was done" is a better response than "My entire drive is encrypted"?

Much better, because one is your responsibility and one is not

scottalanmiller

Remember HIPAA is about one thing and one thing only: covering your ass. It is not about actual security, it is not about specific tasks. It is all about doing things to cover your and your company's collective butts. Being more secure but carrying liability is very foolish compared to being less secure and shedding responsibility.

scottalanmiller

@BRRABill said:

@scottalanmiller said:

Goal: Print Labels

Solution: Pull data from the service to print labels. Why do you need all data pulled down locally to do that? If I am using an application like Spiceworks I don't need to do that. If I am using excel I don't need to do that. Sure, some apps don't work well for this, but that is what we are potentially looking to address, right?

We happen to use Sharefile for Healthcare for our PHI transfer.

I'd have to get the file from there to Excel somehow.

Well then consider switching to more practical applications that help to meet HIPAA and PHI security needs.

scottalanmiller

@BRRABill said:

But it also nice to know if the device gets lost/stolen, the data is probably safe.

Are you sure?

Judge: "If the system was secure, why was it encrypted?"
You: "Just in case our users started storing data locally."
Judge: "And you don't feel that encrypting the drive suggests that you support that action and enable it by making it seem like you intend for them to put PHI there?"
You: "Ummm... but I didn't tell them to put it there."

scottalanmiller

@BRRABill said:

We had an employee who lost their iPad. But we set them to erase after 10 tries. So while there is some chance that another person who found the iPad could have guessed their passcode (hoping it wasn't 1234), but the odds are the iPad got erased. The chance drops even more if they use a real password. Which of course they will hate, so there's that tradeoff.

You are assuming that this is someone after the hardware, not the data. If someone was after the data, they would disassemble the iPad and your data is probably compromised.

BRRABill

@scottalanmiller said:

You are assuming that this is someone after the hardware, not the data. If someone was after the data, they would disassemble the iPad and your data is probably compromised.

We were discussing that the other day. If the data on the drive itself in encrypted.

Did we ever come to a conclusion?

scottalanmiller

@BRRABill said:

@scottalanmiller said:

You are assuming that this is someone after the hardware, not the data. If someone was after the data, they would disassemble the iPad and your data is probably compromised.

We were discussing that the other day. If the data on the drive itself in encrypted.

Did we ever come to a conclusion?

I am assuming that it is encrypted.

Dashrender

@scottalanmiller said:

@BRRABill said:

But it also nice to know if the device gets lost/stolen, the data is probably safe.

Are you sure?

Judge: "If the system was secure, why was it encrypted?"
You: "Just in case our users started storing data locally."
Judge: "And you don't feel that encrypting the drive suggests that you support that action and enable it by making it seem like you intend for them to put PHI there?"
You: "Ummm... but I didn't tell them to put it there."

This seems like a stretch of a conversation... one that even the attorney on the other side might not make, let alone a judge who isn't into technology.

BRRABill

@scottalanmiller said:

Judge: "If the system was secure, why was it encrypted?"
You: "Just in case our users started storing data locally."
Judge: "And you don't feel that encrypting the drive suggests that you support that action and enable it by making it seem like you intend for them to put PHI there?"
You: "Ummm... but I didn't tell them to put it there."

Judge: Were you aware that sensitive data was on the machine?
Me: Yes, that is why we installed a self-encrypting drive. As you know, sir, drives with this technology that are lost are not considered breaches.
Judge: Oh, that's right. Thank you and have a nice day!

BRRABill

@scottalanmiller said:

@BRRABill said:

We were discussing that the other day. If the data on the drive itself in encrypted.

Did we ever come to a conclusion?

I am assuming that it is encrypted.

Then pulling the drive wouldn't help them, right?

BRRABill

@Dashrender said:

This seems like a stretch of a conversation... one that even the attorney on the other side might not make, let alone a judge who isn't into technology.

My theoretical conversation is much better. LOL.

BRRABill

Here is an article from a very large healthcare organization in NJ.

http://www.inforisktoday.com/interviews/shifting-to-hardware-based-encryption-i-987/op-1

Some key points:

• they are doing this on 800 laptops
• he mentions about not having to report breaches on drives with encryption if they can demonstrate there is no exposure or potential exposure
• he says there is no way to guarantee users are not putting PHI on the laptops

I know in a previous thread it was stated that this is technically data theft, but that still doesn't protect them if a laptop is stolen and they can't without a doubt prove there is no PHI on it.

This goes back to my original question. Instead of trying to force the hand of people to store stuff in the cloud, or not download PHI, or any of those things ... why not just force them to use complex passwords and encrypt the laptop?

BRRABill

My other question remains:

You have a doctor with a small practice. He comes to you, fresh off a seminar where he was told all his data at rest needs to be encrypted, and wants you to do that.

Are you saying you'd tell him you don't recommend it?

In the "judge" scenario how could that be anything but negligence? We know it is required as IT people. (Unless you want to argue that PHI doesn't need to be encrypted at rest. Is that a gray area of HIPAA? (Of which I agree the whole thing is a non-checkbox grey area.)) The doctor has been informed. How could either of you answer anything but you know it should have been?

Dashrender

The law does not require PHI to be encrypted at rest.... only highly recommended by the OCR, not the law.

BRRABill

@Dashrender said:

The law does not require PHI to be encrypted at rest.... only highly recommended by the OCR, not the law.

Yes, but if you don't, you'd better have a good reason why not.

"Because the staff didn't want to use passwords" is not going to cut it, I don't think!

This is a good blurb that kind of backs my feelings on this:
You’re required to encrypt PHI in motion and at rest whenever it is “reasonable and appropriate” to do so. I’ll bet that if you do a proper risk analysis, you’ll find very few scenarios where it’s not. Even if you think you’ve found one, and then you’re breached, you have to convince the OCR, who think encryption is both necessary and easy, that you’re correct. Is that an argument you want to be making in the face of hefty fines? Not me… and that’s why I have convinced myself that encryption is required by HIPAA.

scottalanmiller

@Dashrender said:

@scottalanmiller said:

@BRRABill said:

But it also nice to know if the device gets lost/stolen, the data is probably safe.

Are you sure?

Judge: "If the system was secure, why was it encrypted?"
You: "Just in case our users started storing data locally."
Judge: "And you don't feel that encrypting the drive suggests that you support that action and enable it by making it seem like you intend for them to put PHI there?"
You: "Ummm... but I didn't tell them to put it there."

This seems like a stretch of a conversation... one that even the attorney on the other side might not make, let alone a judge who isn't into technology.

Someone might make it. It's a stretch, but it's a real concern. Are we enabling risky behaviour? Why?

scottalanmiller

@BRRABill said:

@scottalanmiller said:

Judge: "If the system was secure, why was it encrypted?"
You: "Just in case our users started storing data locally."
Judge: "And you don't feel that encrypting the drive suggests that you support that action and enable it by making it seem like you intend for them to put PHI there?"
You: "Ummm... but I didn't tell them to put it there."

Judge: Were you aware that sensitive data was on the machine?
Me: Yes, that is why we installed a self-encrypting drive. As you know, sir, drives with this technology that are lost are not considered breaches.
Judge: Oh, that's right. Thank you and have a nice day!

That's fine except for one thing - since when is lost data not considered a breach when encrypted? That's news to me and I'm sure would be big news to most of the American public. Why is encryption considered an exception to security and privacy norms?