[Cryptography] another security vulnerability / travesty

John Denker jsd at av8n.com
Fri Sep 30 16:35:29 EDT 2016 

Simple question:  Suppose your aunt wanted to submit some medical documents
to a clinic on the far side of town.  Short of hand-carrying the documents,
what would you recommend?

Consider the contrast:

1) In the US, most physicians will not accept email, on the grounds that
 it provides insufficient privacy, and is therefore not HIPAA compliant.
 I reckon that's true as far as it goes.  One could imagine using PGP
 on top of Tor, but it's hard to imagine trusting typical patients to
 do that that properly.

2) The odd thing is that they consider _fax_ to be HIPAA compliant.  That
 seems quaint, like using an amulet to ward off disease.

 The latest version of this is to download the form, fill it out, and
 fax it back to the provider.  There's a lot of this, e.g.
   https://www.walgreens.com/topic/healthcare-clinic/patient-resources-and-forms.jsp

 2a) Most people don't have fax machines, and even if they had the hardware
  they wouldn't be able to use it because they rely on cell phones and don't
  have a POTS line.  So at best they have to use somebody else's fax machine.

 2b) Even when using a plain old fax machine, the idea that the signal
  would be hard to intercept in transit is quaint, to say the least.

 2c) Some customers have the bright idea of emailing the document to a
  fax-gateway service.  Then they have the worst of all worlds, including
  the insecurity of email on top of everything else.
    https://www.efax.com/how-it-works/send-a-fax-by-email

 2d) One could imagine uploading forms via SSL.  I've seen examples
  of this:
     https://web.health.arizona.edu/cgi-bin/secure/immunform

  However, I'm not sure I would trust a typical private-practice office
  to run a secure server properly.  Furthermore I don't trust the
  current Narrenschiff of root CAs.

 2e) There's also the risk that the data could be snatched while at
  rest at the destination, but that's a topic for another day.

HIPAA is not the only game in town.  There are analogous regulations that
apply to the banking industry.  Some bankers find the regulations to be
impossibly onerous, so they tell customers to send documents to a personal
gmail account, and then cut-and-paste from there into the bank systems.

IMHO we ought to take this seriously.  Based on the Snowden documents, the
OPM hack, the DNC hack, and a boatload of other evidence, it should be clear
that the advanced persistent threats are very advanced and very persistent.
If I worked for a local AIDS clinic, or a family planning clinic, or the
local office of a political party, or a high-tech startup company, I would
assume that I was under constant attack.  No tinfoil hat is required.

Cyber warfare has already begun, and we're losing the war.

More information about the cryptography mailing list