[Cryptography] FTC sues for crappy crypto
Sean Lynch
seanl at literati.org
Fri Jan 8 14:00:50 EST 2016
On Fri, Jan 8, 2016 at 10:49 AM Thierry Moreau <thierry.moreau at connotech.com>
wrote:
> From the original post:
> "security protections in compliance with HIPAA rules"
> which would (indirectly?) mandate effective data protection (... whether
> this extends to proper key management procedures is another story ...).
>
> The US health sector is governed by HIPAA for privacy of medical
> records. With the battle between lawyers and insurance companies (for
> clinicians error liability coverage) in the private-organization-centric
> US health care system, I would suspect the HIPAA rules are implemented
with some dedication.
>
I thought I'd seen mention of HIPAA but then couldn't find it again. But
the complaint says "If dentists were aware that Dentrix G5 used a form of
data protection that was more vulnerable than widely-used, industry
standard encryption algorithms, they *may* have chosen to purchase another
product." (Emphasis mine.) Which leads me to believe that using this
product does NOT violate HIPAA, or I imagine they would have used different
phrasing. Unless what you're saying is that HIPAA gives leeway in how
providers' protect data and that dentists would potentially be exposed to
additional liability because of using Dentrix G5, and thus dentists WOULD
care about "data camouflage" versus "encryption," but I kinda doubt that
most dentists are even capable of distinguishing between those terms.
Certification by some private third party recognized by their data-theft
insurance carrier would make more sense.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160108/8d52414b/attachment.html>
More information about the cryptography
mailing list