ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Local Encryption ... Why Not?

    Scheduled Pinned Locked Moved IT Discussion
    357 Posts 15 Posters 190.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • BRRABillB
      BRRABill @scottalanmiller
      last edited by

      @scottalanmiller said:

      @BRRABill said:

      We were discussing that the other day. If the data on the drive itself in encrypted.

      Did we ever come to a conclusion?

      I am assuming that it is encrypted.

      Then pulling the drive wouldn't help them, right?

      scottalanmillerS 1 Reply Last reply Reply Quote 0
      • BRRABillB
        BRRABill @Dashrender
        last edited by BRRABill

        @Dashrender said:

        This seems like a stretch of a conversation... one that even the attorney on the other side might not make, let alone a judge who isn't into technology.

        My theoretical conversation is much better. LOL.

        1 Reply Last reply Reply Quote 0
        • BRRABillB
          BRRABill
          last edited by

          Here is an article from a very large healthcare organization in NJ.

          http://www.inforisktoday.com/interviews/shifting-to-hardware-based-encryption-i-987/op-1

          Some key points:

          • they are doing this on 800 laptops
          • he mentions about not having to report breaches on drives with encryption if they can demonstrate there is no exposure or potential exposure
          • he says there is no way to guarantee users are not putting PHI on the laptops

          I know in a previous thread it was stated that this is technically data theft, but that still doesn't protect them if a laptop is stolen and they can't without a doubt prove there is no PHI on it.

          This goes back to my original question. Instead of trying to force the hand of people to store stuff in the cloud, or not download PHI, or any of those things ... why not just force them to use complex passwords and encrypt the laptop?

          scottalanmillerS 2 Replies Last reply Reply Quote 0
          • BRRABillB
            BRRABill
            last edited by

            My other question remains:

            You have a doctor with a small practice. He comes to you, fresh off a seminar where he was told all his data at rest needs to be encrypted, and wants you to do that.

            Are you saying you'd tell him you don't recommend it?

            In the "judge" scenario how could that be anything but negligence? We know it is required as IT people. (Unless you want to argue that PHI doesn't need to be encrypted at rest. Is that a gray area of HIPAA? (Of which I agree the whole thing is a non-checkbox grey area.)) The doctor has been informed. How could either of you answer anything but you know it should have been?

            1 Reply Last reply Reply Quote 0
            • DashrenderD
              Dashrender
              last edited by Dashrender

              The law does not require PHI to be encrypted at rest.... only highly recommended by the OCR, not the law.

              BRRABillB 1 Reply Last reply Reply Quote 1
              • BRRABillB
                BRRABill @Dashrender
                last edited by

                @Dashrender said:

                The law does not require PHI to be encrypted at rest.... only highly recommended by the OCR, not the law.

                Yes, but if you don't, you'd better have a good reason why not.

                "Because the staff didn't want to use passwords" is not going to cut it, I don't think! 🙂

                This is a good blurb that kind of backs my feelings on this:
                You’re required to encrypt PHI in motion and at rest whenever it is “reasonable and appropriate” to do so. I’ll bet that if you do a proper risk analysis, you’ll find very few scenarios where it’s not. Even if you think you’ve found one, and then you’re breached, you have to convince the OCR, who think encryption is both necessary and easy, that you’re correct. Is that an argument you want to be making in the face of hefty fines? Not me… and that’s why I have convinced myself that encryption is required by HIPAA.

                scottalanmillerS 1 Reply Last reply Reply Quote 0
                • scottalanmillerS
                  scottalanmiller @Dashrender
                  last edited by

                  @Dashrender said:

                  @scottalanmiller said:

                  @BRRABill said:

                  But it also nice to know if the device gets lost/stolen, the data is probably safe.

                  Are you sure?

                  Judge: "If the system was secure, why was it encrypted?"
                  You: "Just in case our users started storing data locally."
                  Judge: "And you don't feel that encrypting the drive suggests that you support that action and enable it by making it seem like you intend for them to put PHI there?"
                  You: "Ummm... but I didn't tell them to put it there."

                  This seems like a stretch of a conversation... one that even the attorney on the other side might not make, let alone a judge who isn't into technology.

                  Someone might make it. It's a stretch, but it's a real concern. Are we enabling risky behaviour? Why?

                  1 Reply Last reply Reply Quote 0
                  • scottalanmillerS
                    scottalanmiller @BRRABill
                    last edited by

                    @BRRABill said:

                    @scottalanmiller said:

                    Judge: "If the system was secure, why was it encrypted?"
                    You: "Just in case our users started storing data locally."
                    Judge: "And you don't feel that encrypting the drive suggests that you support that action and enable it by making it seem like you intend for them to put PHI there?"
                    You: "Ummm... but I didn't tell them to put it there."

                    Judge: Were you aware that sensitive data was on the machine?
                    Me: Yes, that is why we installed a self-encrypting drive. As you know, sir, drives with this technology that are lost are not considered breaches.
                    Judge: Oh, that's right. Thank you and have a nice day!

                    That's fine except for one thing - since when is lost data not considered a breach when encrypted? That's news to me and I'm sure would be big news to most of the American public. Why is encryption considered an exception to security and privacy norms?

                    BRRABillB DashrenderD 2 Replies Last reply Reply Quote 0
                    • scottalanmillerS
                      scottalanmiller @BRRABill
                      last edited by

                      @BRRABill said:

                      @scottalanmiller said:

                      @BRRABill said:

                      We were discussing that the other day. If the data on the drive itself in encrypted.

                      Did we ever come to a conclusion?

                      I am assuming that it is encrypted.

                      Then pulling the drive wouldn't help them, right?

                      Of course it would. Encryption doesn't stop access, it just slows it down. In the case of assumed 10K maximum passwords, it slows it down by only a few seconds.

                      BRRABillB 1 Reply Last reply Reply Quote 0
                      • scottalanmillerS
                        scottalanmiller @BRRABill
                        last edited by

                        @BRRABill said:

                        • he mentions about not having to report breaches on drives with encryption if they can demonstrate there is no exposure or potential exposure

                        If he can demonstrate that there was no exposure then there is no breach. Problem is... that cannot ever be demonstrated. So that's just misdirection and moot. Has nothing to do with the situation. Encryption does not prevent exposure so no need to discuss theoretical cases that can't happen.

                        1 Reply Last reply Reply Quote 0
                        • BRRABillB
                          BRRABill @scottalanmiller
                          last edited by

                          @scottalanmiller said:

                          That's fine except for one thing - since when is lost data not considered a breach when encrypted? That's news to me and I'm sure would be big news to most of the American public. Why is encryption considered an exception to security and privacy norms?

                          You'll also see it mentioned int he article I attached.

                          Because they consider 256-bit encryption (was told only 256 bit qualifies as the "golden ticket", not 128 bit) uncrackable, ever.

                          You prove
                          a) you require strong complex passwords and
                          b) you required this password to unlock the encryption and
                          c) the encryption was enabled

                          And that's all she wrote. Otherwise you are going on the HHS wall of shame!

                          scottalanmillerS 1 Reply Last reply Reply Quote 0
                          • scottalanmillerS
                            scottalanmiller @BRRABill
                            last edited by

                            @BRRABill said:

                            • he says there is no way to guarantee users are not putting PHI on the laptops

                            No way to ensure that they are not handing out the encryption passwords either. What's the point in that statement?

                            1 Reply Last reply Reply Quote 0
                            • scottalanmillerS
                              scottalanmiller @BRRABill
                              last edited by

                              @BRRABill said:

                              You prove
                              a) you require strong complex passwords and
                              b) you required this password to unlock the encryption and
                              c) the encryption was enabled

                              This still relies on a judge's opinion, there is no hard ruling. It's also a moving target. Complex passwords are also the weak ones, that alone violates extremely basic security practices and should get facilities in trouble for not meeting basic, easy standards.

                              How does one prove that encryption was enabled and what kind it was after a device has been exposed? How do you prove the password was hard enough to guess but not in any way stored with the device?

                              BRRABillB 1 Reply Last reply Reply Quote 0
                              • BRRABillB
                                BRRABill @scottalanmiller
                                last edited by

                                @scottalanmiller said:

                                Of course it would. Encryption doesn't stop access, it just slows it down. In the case of assumed 10K maximum passwords, it slows it down by only a few seconds.

                                I did a few quick Google searches, and it appears you cannot use the password to decrypt it if the drive is not in the device. It has to be in the device.

                                scottalanmillerS 1 Reply Last reply Reply Quote 0
                                • scottalanmillerS
                                  scottalanmiller @BRRABill
                                  last edited by

                                  @BRRABill said:

                                  @Dashrender said:

                                  The law does not require PHI to be encrypted at rest.... only highly recommended by the OCR, not the law.

                                  Yes, but if you don't, you'd better have a good reason why not.

                                  Good luck getting a doctor to do that. Literally have never met a doctor or medical "professional" that would be willing to do anything like this. The discussions around here talk about what doctors won't do all of the time. Implementing things that they work around (putting passwords on the device or in the bag) are the same as not doing them at all. I'd rather show that I went beyond the level of security required rather than putting data at risk to do what "seemed likely to trick the judge."

                                  BRRABillB 1 Reply Last reply Reply Quote 0
                                  • scottalanmillerS
                                    scottalanmiller @BRRABill
                                    last edited by

                                    @BRRABill said:

                                    I did a few quick Google searches, and it appears you cannot use the password to decrypt it if the drive is not in the device. It has to be in the device.

                                    I wonder how that works. What aspect of the device makes it work that way. Complex encrypted salt on another chip?

                                    BRRABillB DashrenderD 2 Replies Last reply Reply Quote 0
                                    • BRRABillB
                                      BRRABill @scottalanmiller
                                      last edited by

                                      @scottalanmiller said:

                                      How does one prove that encryption was enabled and what kind it was after a device has been exposed? How do you prove the password was hard enough to guess but not in any way stored with the device?

                                      In a facility like that (they are now over 1250 laptops with this, I saw in a difference article) it's all centrally monitored. Once the encryption is turned on, the users cannot turn it off. Same with me ... my single users cannot disable it.

                                      HIPAA is all about process. The process is to encrypt the drive before the user gets it. There is thus no way to turn off the encryption.

                                      scottalanmillerS 1 Reply Last reply Reply Quote 0
                                      • BRRABillB
                                        BRRABill @scottalanmiller
                                        last edited by

                                        @scottalanmiller said:

                                        I wonder how that works. What aspect of the device makes it work that way. Complex encrypted salt on another chip?

                                        http://blog.cryptographyengineering.com/2014/10/why-cant-apple-decrypt-your-iphone.html

                                        scottalanmillerS 1 Reply Last reply Reply Quote 0
                                        • scottalanmillerS
                                          scottalanmiller @BRRABill
                                          last edited by

                                          @BRRABill said:

                                          HIPAA is all about process. The process is to encrypt the drive before the user gets it. There is thus no way to turn off the encryption.

                                          You can show a process and that it would be a bit of a pain. But if I get one of your laptops, take it to Staples and ask them to upgrade the drive for me... would I not get a laptop, with zero technical knowledge, encryption removed, fully migrated?

                                          BRRABillB 1 Reply Last reply Reply Quote 0
                                          • BRRABillB
                                            BRRABill @scottalanmiller
                                            last edited by

                                            @scottalanmiller said:

                                            Good luck getting a doctor to do that. Literally have never met a doctor or medical "professional" that would be willing to do anything like this. The discussions around here talk about what doctors won't do all of the time. Implementing things that they work around (putting passwords on the device or in the bag) are the same as not doing them at all. I'd rather show that I went beyond the level of security required rather than putting data at risk to do what "seemed likely to trick the judge."

                                            But here at ML we're always talking about educating the users.

                                            Wouldn't it be an easier sell to have their staff enter a password upon reboot, then to have to totally change all their procedures to not store stuff on their laptops, which we also know they always do?

                                            BRRABillB scottalanmillerS 2 Replies Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 14
                                            • 15
                                            • 16
                                            • 17
                                            • 18
                                            • 18 / 18
                                            • First post
                                              Last post