[Cryptography] another security vulnerability / travesty

[Jon Callas]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> 
> 2) The odd thing is that they consider _fax_ to be HIPAA compliant.  That
> seems quaint, like using an amulet to ward off disease.

It's less odd than you'd think. 

HIPAA is the Health Insurance Portability and Accountability Act. Note that it's "insurance" and "portability" not what many people think, "information privacy." There are privacy parts of HIPAA, but it's a system to make electronic records work first. That implies security, but it isn't *about* security.

At PGP, we were fortunate to have Dr. Bill Braithwaite, who's sometimes called "the father of HIPAA" on our advisory board and I spent a lot of time talking to him about HIPAA and what it all means for security.

He explained that the purpose of HIPAA is to solve the insurance and health record problem. Before he started, there were literally hundreds of different forms across different insurance organizations, and also the spectrum of health care organizations in size and sophistication. You have huge organizations like Kaiser and Cerner at the top, all the way to the thousands of small practices that include dentist offices. These small practices are essentially small family businesses of four to six people where the IT person probably has graduated high school, but you can't count on that. So the rules have to be squishy enough to handle that wide disparity of sophistication.

A provider can essentially opt out of HIPAA by not doing portable records. That's exactly what the case you mention is. By using a fax machine and paper forms, they're more *exempt* from HIPAA than compliant, kinda the way that if you're walking along a road, you don't need headlights and turn signals. It's not using an amulet, it's saying "non serviam" to HIPAA.

Part of the challenge of it has been to make it worth people's while to go electronic, because too stringent interpretations that make it easier and cheaper for an organization to do things the old way help no one. Today that's not really an issue, but it was in early HIPAA days. 

I did a bit of searching, because Braithwaite is really good at talking about the subtleties of the situation. I found this testimony he gave to Congress in 2005:

<http://www.ncvhs.hhs.gov/meeting-calendar/agenda-of-the-august-16-17-2005-ncvhs-subcommittee-on-privacy-and-confidentiality-hearing/testimony-by-bill-braithwaite-for-the-august-17-2005-ncvhs-subcommittee-on-privacy-and-confidentiality-hearing/>

But here's an important paragraph that sums up the huge problem:

   HIPAA also instituted severe criminal penalties to deter individuals from
   making knowing decisions to violate a patient's privacy for their own
   purposes or gain.  The fear that resulted in the healthcare industry made
   people pay great attention to the Privacy Rule and probably led some in the
   industry to take steps that are more conservative than intended.  For
   example, I often hear from frustrated providers who asked a hospital for a
   copy of the records on a patient that they were seeing in the emergency room
   and who were met with a 'stone wall' denying them access to the record
   without a signed release from the patient "as required by HIPAA!"  The HIPAA
   Privacy Rule has made it very clear that HIPAA does not impose any such
   requirement or restriction on a providers' ability to share or get
   information on a patient for treatment purposes.  There is much education
   still to do in this area.
   
And there's the point -- doxing, LOVEINT, using health records to tailor advertising and many other things ought to be illegal. On the other hand, as he says in the above paragraph, 
treatment demands that someone be able to get patient records because they happen to be the attending caregiver by fate and circumstance.

This isn't a problem cryptography can solve. The solution to that problem likely uses a bunch of cryptography, but it's not a crypto problem.

The HIPAA problem, though, is making health care use sophisticated computer technology. That implies controls. Those controls imply crypto among other things. Far fewer people are opting out by using faxes of forms now than they were. My dentist has an office system that has all the HIPAA stuff built into their practice, and that package they bought does all the right stuff for them. That's how it should be, and more and more it is. I can understand that someone who has been doing a small practice for the last two to four decades might want to just do it the way they've always done it. I don't agree, but I understand.

	Jon


-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 3.3.0 (Build 9060)
Charset: us-ascii

wsBVAwUBV/IOG/aTaG6hZJn9AQjW/QgAoRq5uMoLw6htiq0Dxfu0kOXEUF+QHL6o
GomPn07HV65FGNZegmM+Tfhn9+axalbpuozeTUv8rMGKLGSO1Dw4lUNLMyHGmv8a
+kV3oAYwgEaboxn9OLItAo/7Of+wlCOF7xSwmN4Nw/NdPAAtp2qmZD/QL5Fs9mgt
8EgjofSvyf95/+1UzkliK0W63tlP/9AE9EOK+IYDWSXm5CRdn9+OwDnpVymMAT3K
s2eX3VX+Tf9VRg4LP0jjjKJNF5ji76bhf2JwFyD9jEucmbUOZsZSkSfHFp5tKj41
om36TM677TAzLX0/g1vnv76wufr1k73kOLsBNnTU0pa+gPS7ug66Kg==
=NCs1
-----END PGP SIGNATURE-----