[FDE] Of course FDE is not sufficent...

Allen netsecurity at sound-by-design.com
Sat Sep 1 13:09:04 MDT 2007 

Hi Patrick,

Thanks for your comments, but please remember I'm just a minion 
in this mess so I'm not in trouble, rather it is the south ends 
of the jackasses headed north who allow this to happen and the 
advisors, legal and otherwise, who tell them it is okay to do this.

I've complained and talked with others who agree with you and I; 
the response is that the doctors are "gods" who can not be forced 
to do what is right.

My main point in bringing this to the table here is that FDE is 
only a mechanism that is implemented by very fallible humans who 
will bend under the pressure of losing their jobs and being 
blacklisted from the industry. Contrary to what many may think, 
recruiters and others in HR have many ways of covertly 
cooperating with each other to weed out those who disturb the 
waters. I once read a masterful description of how this is done 
in academia when someone is applying for a post-doc position. I 
wish I could remember where I saw it. In any case, the basics 
involve damning with faint praise. Anyone attuned to innuendo can 
see it immediately and acts according to their interpretation of 
the tone of the letter of recommendation. It almost never can be 
proven but many of us agree it exists.

So, back to the basics, when we look at FDE we need to keep in 
mind the human element because, at least I believe it to be so, 
we are attempting to make all of us safer from attack against or 
misuse of our private data. We may well disagree about the best 
mechanisms but we are united in our goals.

I'm at my wits end in coming up with strategies given that there 
are few, if any, safe harbors for whistle-blowers these days, how 
would you suggest this be addressed?

Additional comments inline.

Patrick Cahalan wrote:
> I'm assuming, from the general body of the email, that you're subject
> to US law here.  Disclaimer: I'm not a lawyer, although I've read
> enough about IT regulation (particularly SB 1386 and HIPAA) to know
> you're in a world of trouble.

Yep, do tell.

>> The doctors are exempt from all policies as they are not employees 
>> of the provider. Not only is this true, it says so in the very 
>> first policy in their list of policies. Isn't that grand?
> 
>> Since the doctors are exempt, they do what they please. And what 
>> they please is to download a *large* number of medical records into
>>  an unprotected computer at home that was stolen today.
> 
> At the very least, this violates 164.502 part b.1 of HIPAA (from
> http://www.hhs.gov/ocr/regtext.html)
> 
>>> (b) Standard: minimum necessary.
>>>
>>> (1) Minimum necessary applies. When using or disclosing protected
>>>  health information or when requesting protected health 
>>> information from another covered entity, a covered entity must 
>>> make reasonable efforts to limit protected health information to
>>>  the minimum necessary to accomplish the intended purpose of the
>>>  use, disclosure, or request.
> 
> If your health care provider is granting blanket access to doctors
> they are in obvious violation of this subpart.

It is slightly more complex than this. In theory a given doctor 
has access to only those records of their own patients and the 
patients that are seen by the same group. The reality is broader 
I think, but I don't think it allows them access to *every* 
medical record.

> Your legal team may be relying upon the subsequent section 164.506,
> section a.2.i:
> 
>>> § 164.506 Consent for uses or disclosures to carry out treatment,
>>>  payment, or health care operations.
>>>
>>> (a) Standard: consent requirement.
>>>
>>> (1) Except as provided in paragraph (a)(2) or (a)(3) of this 
>>> section, a covered health care provider must obtain the 
>>> individual’s consent, in accordance with this section, prior to 
>>> using or disclosing protected health information to carry out 
>>> treatment, payment, or health care operations.
>>>
>>> (2) A covered health care provider may, without consent, use or 
>>> disclose protected health information to carry out treatment, 
>>> payment, or health care operations, if:
>>>
>>> (i) The covered health care provider has an indirect treatment 
>>> relationship with the individual; or
> 
> Since a doctor at a health care provider has an indirect relationship
> with all patients of the other doctors of the provider.  However,
> 164.502 section a.1.iii clearly limits the "without consent":
> 
>>> (iii) Without consent, if consent is not required under § 
>>> 164.506(a) and has not been sought under § 164.506(a)(4), to 
>>> carry out treatment, payment, or health care operations, except 
>>> with respect to psychotherapy notes;
> 
> If your doctors are routinely data-dumping the patient records of the
> entire facility, you guys are up the creek.  No paddle.

In general I agree. I don't think they are dumping the patient 
records of an entire facility, but over time they acquire and 
keep much more than they are currently using or monitoring. This 
failure to purge unneeded records is the key problem beyond the 
arrogance of refusing to put up with password controls, time 
outs, and encryption requirements.
> 
>> This has not yet been reported under California 1386 yet, and 
>> apparently there is a discussion going on whether they need to as 
>> it was not the medical provider's machine....
> 
> Whoo, lord, do your people need to be more worried about the law.
> 
> SB 1386 (note, it's actually 1798.29 of California's Civil Code now
> that it's been signed into law) 

Yeah, I know, but SB 1386 is more recognizable by those who are 
not lawyers. In fact when one searches the net for other states 
that have enacted similar laws the are commonly referred to by 
phrases similar to "...based on California's SB 1386."

> makes NO provision about *systems*
> ownership, only data integrity.  From
> 
> http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html:
> 
>>> SEC. 2.  Section 1798.29 is added to the Civil Code, to read: 
>>> 1798.29.  (a) Any agency that owns or licenses computerized data 
>>> that includes personal information shall disclose any breach of
>>> the security of the system following discovery or notification of
>>> the breach in the security of the data to any resident of
>>> California whose unencrypted personal information was, or is
>>> reasonably believed to have been, acquired by an unauthorized
>>> person.

This is exactly what I think the lawyers are relying on. The 
doctors are authorized, therefore their possession is legal. Once 
it is in the hands of the doctor and lost, I believe their 
thinking is that it is the doctor's problem, not theirs. I would 
agree with your more inclusive version but, like you I'm not a 
lawyer so my opinion doesn't count for much.

The situation is much like NASA's Columbia disaster: managers 
were unwilling to tell higher ups about the concerns of the lower 
level engineers so actions were taken based on faulty or 
incomplete data, leading directly to the very public failure.

>>> (d) For purposes of this section, "breach of the security of the 
>>> system" means unauthorized aquisition of computerized data that 
>>> compromises the security, confidentiality, or integrity of 
>>> personal information maintained by the agency.
> 
> You'll note that 1798.29 does not strictly define "system" as that
> "hardware which is owned by the agency", but instead explicitly
> defines "breach of the security of the system" in terms of
> unauthorized acquisition of the *data*.

And this is where they say that the computers are not part of 
their system so they have little or no responsibility to protect 
it once it is handed over to an authorized user.

> Your health care provider, under 1798.29, is responsible for the
> integrity of the data collected by itself *regardless of the current
> possessor of the data*.

I wish they agreed. It would make life much simpler. But the 
lawyers and the big consulting firms make money on mudding the 
waters so it is not in their interests to simplify the issues to 
the level of clarity that you have.

> If a doctor downloads a chunk of data on his home PC and it gets
> stolen, this is functionally equivalent to the doctor printing out a
> thousand patient records and carrying it around in his/her briefcase;
> the data belongs to the health care provider, not the doctor, and it
> is their responsibility to disclose, not the doctor's.
> 
> I imagine that your organization is leery of fessing up to this
> disclosure because their internal access policy is so clearly in
> violation of HIPAA.  I would advise most strongly that they fess up
> NOW and fix the problem - data privacy laws in the US are going to get
> stronger, not weaker, and sweeping this under the rug just means that
> it will come to light later when the penalties are greater.
> 
> Including Jail Time :)

Don't I just wish. Alas we have many too many examples of the 
street corner kid being landed in jail for life for possessing 
some small amount of crack while white collar criminals get off 
with a small slap and get to keep the bulk of their stolen riches 
a la Milken, the "king" of the junk bond scandals twenty years ago.

Any ideas to help with this, direct or indirect, are most welcome.

Best to you and yours,

Allen

More information about the FDE mailing list