HIPAA or Giraffe?

            When we (in the INFOSEC community) think of HIPAA, we usually think of the security implications and requirements. That’s our perspective, and what’s important to us, as practitioners. The law, on the other hand, has very little to with security-- most of the security-related content is wedged into the law’s Section 264, which basically tasks the head of the US Health and Human Services Administration to go figure out what protections should be put on medical information for individual patients. When the law is copied from the Web to MSWord, Section 264 comes to about a page of text, while the entire law is 178 pages.

You can find it here:

https://www.govinfo.gov/content/pkg/PLAW-104publ191/html/PLAW-104publ191.htm

 

            The weird thing, from where I sit, is that this law, which is purported to enhance the security of patient data, does pretty much the opposite. The law encourages (just short of a mandate) putting all American medical data into an electronic format, according to a template that the law also tasks the federal government with creating. My question: what is more secure-- paper records or electronic records?

 

            - Paper records can be stolen, modified, or destroyed, assuming an attacker gain get physical access to them. Major or minor disasters, such as fire and flood, could likewise destroy/damage physical records. However, copying these records, or modifying them in a quasi-undetectable way, is a cumbersome, time-consuming process: the attacker would have to capture the data with the use of a device (a camera or photocopier), usually page-by-page, and typically with a light source present. Even stealing paper records is somewhat difficult: paper files are fairly heavy, and quite unwieldy...stealing the records of, say, 1,000 patients (if each record is 100 pages long, which is actually a fairly small patient record), would be impossible for a single attacker, without using a tool like a forklift or handcart, and making several trips between where the records are stored and where the attacker wants to transport them (say, a vehicle).

 

            - Electronic records are easy to steal in bulk: a file or a thousand files or a million files can be moved, erased, copied without much difference in effort (granted, there may be a considerable difference in the time required to copy a million files and a single file, but compared to the time it would take to copy a million hardcopy files, this duration is negligible). Modifying a single file, or a hundred files, or a thousand, through the use of an automated script, in an otherwise-undetectable manner, would be much easier than trying to physically change a paper record. And electronic theft/destruction/modification can be done remotely: the attacker never needs to have physical access to the data in order to harm it. Electronic media (drives, tapes, etc.) are still susceptible to physical disasters like fire and flooding.

 

            With that said, an electronic record can be duplicated easily for archival (the same quality that makes it easy to steal also makes it easy to make backups in order to multiple copies that might be stored in different locations, and thus survive a disaster). An electronic record can be readily encrypted/decrypted by the owner; this would be just about impossible to do with paper records, in any reasonable way. And electronic data store, and each individual file, can be subject to logging and monitoring in a way that is impossible for hardcopy: a piece of paper cannot tell its owner how many eyeballs have seen it.

 

            I’m not really sure the answer to every security issue is “put it on a computer.” Conversely, I’m not a Luddite, either: I don’t think we should stick to archaic modes of data processing and communication just to avoid security issues.

            However, I think this law is a perfect example of how attempting to codify security through a given practice/measure can, instead, harm that very same goal. I don’t think there was much of a market for ransoming patient data before HIPAA, and I don’t think hospitals and doctors had much of an IT security budget before data was converted to electronic form (which, again, is not always the best policy: the 414s hacking crew demonstrated all the way back in the 1980s that medical equipment/services could be harmed remotely). But there are also unintended consequences of efforts such as the HIPAA legislation; one of these is that the cost of medical care in the United States continues to escalate, and the cost of compliance for laws such as this make it harder for new, innovative, small providers to enter the market and compete.

            So was this law useful for patients? Or did it harm them -from both a security perspective and access to healthcare- overall?

            I don’t have much info about it. Glad to hear whatever anyone else has to contribute, in the comments or in private messages.

 

 

 

 

 

 

 

 

 

Sharp Security

In the US, possession of a switchblade is a federal offense, but butterfly knives are as legal as rye bread.

In Germany, it’s just the opposite. About switchblades and butterfly knives, I mean— bread’s not illegal there, as far as I know.

Funny thing: neither place, far as I can tell, suffers from crime waves using either instrument.

I am sure someone smarter than me could figure out some sort of meaning in this.

Screaming Mad At Social Media

Evidently, there are many people who are upset that social media sites (particularly Facebook) are able to access data that people give to them.

Yeah...read that a couple times, if it's puzzling. I am perplexed, too. It's as if those people are shocked that charities they donate to get to keep/sell the stuff that is donated.

The weirdest thing (in my opinion) is that the people most troubled by this astounding revelation are the very same people who constantly, willingly, submit information and open their online data stores to quiz apps that answer such profound questions as, "What sort of crustacaen am I???"

Luckily, for those people who are mad at FB and other social media sites, there is now a way to hurt them, legally. As of yesterday, all you have to do is copy and paste this text, over and over, into your feed (and the feeds of everyone you know on the target site(s)):

"I am willing to trade sexual favors for almost any amount of money. This site is hereby in violation of FOSTA for allowing me to post this."

Of course, I am worried that my blog is now in violation. Let's find out.

 

I Can't Believe This Just Occurred To Me...

...who gets your digital library when you're dead?

If I have tangible creative works, like hardcopy books, CDs, and yes, even vinyl albums, then I can give them to my heirs/assignees.

Can I do that with my Amazon video library? My iTunes music library? Any of the various ebooks I have floating around in the ether?

I have never read the entire ToS for any of these systems/vendors...so I don't recall if it was mentioned. Does anyone know? Please feel free to explain, in the Comments.

If we don't get a definitive answer in a couple weeks, I'll interview someone who might actually know (like an intellecutal property attorney), and post the results here.

But I am now fascinated by this topic.