Sunday, November 1, 2009

Breach Notification Rule - Encryption Key (Miaoulis Writes)

Original Content - Posted by Bill Miaoulis.

The recent guidance on the HITECH breach notification may make encryption more difficult for the organization. Specifically the guidance says that authentication (passwords, etc.) do not provide protection from breach notification and does not qualify to make data indecipherable (see the HHS comments below). This writer agrees that for unencrypted laptops a password is not enough, but what about for encrypted laptops? Is a password enough? Are organizations required to implement two factor authentication, plus encryption to truly be secure?

The guidance also specifically states that the encryption key must be maintained separately from the encrypted data. This may indicate that if you encrypt a laptop, the key to decrypt must reside on a devices such as a thumb drive or central server. Obviously when creating encryption, the rescue key or escrow key should be maintained separately, but the laptop also contains a key to encrypt and decrypt. Assuming this is what the rule is referreing to, then installing encryption protected by a password may be enought to make data protected and not subject to breach notifiction

For data at rest (laptops, Thumbdrives), this creates numerous questions about implementation. For laptops is it enough to keep the escrowed key (rescure/recovery disk) separate from the laptop? Is that what they rule is referring to? However, for databases and backup tapes the keys can be maintained separately.

There is another way to look at the rules. That the two statements are different and do not apply at the same time. The first saying that a password to protect a laptop is not enough and I agree with that. But that an organization using a password (That is not stored on the device) is a confidential process and would offer protection. In other words; a confidential process includes the use of authentication (a password). The guidance can be more easily applied if it is determined that this is adequate. In my opinion, additional guidance is needed from HHS. Organizations should review this rule and determine their own best course of action. Organizations can still comment on this rule and impact the guidance.

The published rule can be found here http://edocket.access.gpo.gov/2009/pdf/E9-20169.pdf

From the Comments Section: While we believe access controls may render information inaccessible to unauthorized individuals, we do not believe that access controls meet the statutory standard of rendering protected health information unusable, unreadable, or indecipherable to unauthorized individuals. If access controls are compromised, the underlying information may still be usable, readable, or decipherable to an unauthorized individual, and thus, constitute unsecured protected health information for which breach notification is required. Therefore, we have not included access controls in the guidance; however, we do emphasize the benefit of strong access controls, which may function to prevent breaches of unsecured protected health information from occurring in the first place.

The actual guidance (see page 4 from the published rule, which reprints the guidance): (a) Electronic PHI has been encrypted as specified in the HIPAA Security Rule by ‘‘the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key’’ and such confidential process or key that might enable decryption has not been breached. To avoid a breach of the confidential process or key, these decryption tools should be stored on a device or at a location separate from the data they are used to encrypt or decrypt.

Organizations need to make their own decisions, this should not be viewed as providing any legal advise.

No comments: