Re: HIPAA Requires Encryption?

[Ozzie Paez <ozpaez () SPRYNET COM>]

Dear Mike,

Yours is a very logical approach and I cannot disagree with you technically,
however, the regulatory environment has factors, which often drive a
decision.  When it comes to sensitive personal information such as what we
deal with in HIPAA, there is always the issue of liability and its
attractive effects on attorneys.  In that light, some things are simply
expected and when they are not there, the organization's liability based on
perception increases significantly.  Explaining to a jury why technically
encryption is not necessary takes time and exposes any technical argument to
a counter technical argument.  In the end, the jury may well throw up its
hands and cancel the experts out, which leaves the attorney with the simple
question of "How could they justify leaving this data unencrypted just to
save a few dollars?"  or "Everyone knows that encryption protects privacy
and yet they did not care enough to spend a few dollars more to protect my
clients' most private information?"  Anyway, my two cents worth is that it
is just not worth the risk because encryption has become a kind of expected
elixir, which, whether effective or not, affects overall risks and
liabilities - 

Great points in your e-mail though - 

Ozzie

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of SCHALIP, MICHAEL
Sent: Thursday, August 26, 2010 9:34 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] HIPAA Requires Encryption?

 

Doesn't the question of "should we encrypt" vs "do we have to encrypt" with
ANY kind of data, (HIPAA, or any other) also depend on the state of the
data?  Is the data "at rest" and other protections are already in
place?.....or is the data "in transit" and open? (ie, being e-mailed or
copied across WAN links?).....or is the data "in use", and still protected
because there's an authorized user monitoring the screen...??

 

I used to deal with highly sensitive data and for us, it always came down to
"....it depends...".  Policy always had to come down to the circumstances
behind the how, why, where, and when associated with the use of the
data....trying to adhere to a "one policy fits all" situation was a losing
proposition....

 

Just my $.02.....

 

M

 

  _____  

From: The EDUCAUSE Security Constituent Group Listserv
[SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Ozzie Paez
[ozpaez () SPRYNET COM]
Sent: Thursday, August 26, 2010 9:19 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] HIPAA Requires Encryption?

Hey Matthew,

HIPAA does not require it, but any reasonable cost estimate will show that
it is worth it.  The risks and costs of dealing with unencrypted lost data
is so much higher that it is a risk not worth taking, particularly if you
already have the infrastructure in place.  Hope it helps,

Ozzie Paez
SSE/SAIC
303-332-5363

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Matthew Link
Sent: Thursday, August 26, 2010 2:19 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] HIPAA Requires Encryption?

 

Very recently, I inherited the job of focusing information security efforts.
In the process of upgrade of a SQL server, a question has arisen regarding
the provision in HIPAA (Addressable) to encrypt EPHI at rest on both the
server and the backup media.  It does come at some additional cost, though
it's manageable.  Before proceeding, however, I thought I'd ask if anyone
has suggestions. 

 

Thanks, 

--Matthew Link. 

  Director, User Services 

  Information Services, UCM 

  660-543-8063 

  link () ucmo edu 


-- 
This message has been scanned for viruses and 
dangerous content by  <http://www.mailscanner.info/> MailScanner, and is 
believed to be clean. 


-- 
This message has been scanned for viruses and 
dangerous content by  <http://www.mailscanner.info/> MailScanner, and is 
believed to be clean.