Archive

Posts Tagged ‘Privacy’

Proposed Changes to HIPAA / HITECH, Part I

July 8th, 2010 No comments
Welcome! Please comment and leave me a note telling me what you like and what you'd like to see more of. Sign up to my RSS Feed!

On July 8, 2010, the Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS) issued its long awaited (and for some, dreaded) proposed changes to HIPAA.   While several of the changes are merely ‘procedural’, I find that there are significant changes to certain sections – with some loopholes closed.
I listed below these changes that are not merely procedural, and included my thoughts as to their meaning.   As always, I am available to consult – and repeat: “I am not an attorney”.
 

The changes

Subcontractors

  1. The first major change is to Subpart A—General Provisions, Section 160.103—Definitions.  OCR proposes a change whose purpose is to close the loopholes around the definitions of a ‘business associate’.   This is significant, because until now the assumption in some circles was that subcontractors were exempt for many HIPAA provisions.   Of course, that lead to some organizations creating their own ‘subcontractors’ for purposes of sheltering from the regulations.

 

Medical Error Finders

  1. Another change suggested is the inclusion of Patient Safety Organizations.  These organizations, from their very essence, must handle PHI and thus already should have been included.   OCR is requesting specific inclusion of these organizations, or, in their words: “to more clearly align the HIPAA and Patient Safety Rules.”

 

Data Brokers

  1.  The next change relates to the request to specifically include Health Information Organizations (HIO), E-Prescribing Gateways, and Other Persons That Facilitate Data Transmission; as well as Vendors of Personal Health Records.  Again, OCR notes that HITECH (Section 13408) includes these types, but is asking for specific, explicit, inclusion
     

I see dead people

  1. The next change requests a declaration that a person’s health records are no longer covered under the Acts if fifty (50) years or more have passed since his death.   That is an interesting change, and I wonder what prompted it.
     

What is a State?

 

  1. This change notes that the US Virgin Islands and American Samoa were left out (by error?) from the original bill and asking for the correction to include these territories.

Privacy

  1. With regard to Subpart C—Compliance and Investigations, Section 160.310—Responsibilities of covered entities, the proposed changes would have large PRIVACY impact.   Currently the HIPAA law only allows the secretary of HHS to disclose PHI under very limited guidelines.   Under the proposed change, to which I am adamantly opposed, the Secretary will now be allowed to share Personal HEALTH data with many other agencies (imagine the IRS knowing which hospital you are in and why).

More to come in the next blog entry.

You can find the proposed changes to HIPAA and HITECH also here (PDF)

 

Categories: General Security, Privacy Tags: , , ,

The Needed Rebirth of Security

April 26th, 2010 1 comment

A Brief History of Internet-Time

When we look at our (over-)connected life today, it is hard to remember that only ten years ago, some of us had no Internet.   When we look at legislative efforts, such as the EU, Finland, or  France, to declare 'access to the Internet' or 'access to high-speed data' to be a basic human right, it is good to recall that the early Internet was provided as access between universities and between government agencies.   The main design focus, such as in TCP/IP, was around speed and Ubiquity of Access.   The focus was not, and arguably is not today, around Security, Privacy, or Integrity.

For over sixty years, a nascent Information Technology (or, as called then, Automated Data Processing) effort has been going on separately and for different reasons than the Internet.   This effort, Information Security (also known as Information Protection, Information Assurance and other names), was NOT focused on the Internet and its many threats.  Initially, it too focused on military applications.

Even then, in today's forgotten past, certain voices were heard that we are doing it wrong.

 

Fast-Forward to Now

As I called for in my Strategy to Secure The Federal CyberSpace, we need of a different approach.   With malware counts estimated by some to be at the millions and rapidly increasing every day, we no longer can rest on the laurels of current generations thinking, programs and defensive appliances.   As my friend John Viega stated in his The Myths of Security: What the Computer Security Industry Doesn't Want You to Know

the question is asked once for every piece of malware that has a cryptographic signature

Which means that often every byte in every file on every computer has to be compared to every signature in every database in the current version of the virus signature files….

If we take real numbers (of about 2 million known malware pieces) and add a mere 10,000 new signatures per day (and this is even without counting poly-morhpic code!), and apply it to a mere 50MB file, we see that each and every part of every file has to be compared to millions of signatures.  The math boggles the mind. 

 

2,000,000 (signatures) X 50MB (file) = 2,000,000 X 50,000,000 Bytes = 100,000,000,000,000 attempts (100 million millions)

2,000,000 (signatures) X 500MB (file) = 2,000,000 X 500,000,000 Bytes = 1,000,000,000,000,000 attempts

2,000,000 (signatures) X 5GB (file) = 2,000,000 X 5,000,000,000 Bytes = 10,000,000,000,000,000 attempts

2,000,000 (signatures) X 50GB (file) = 2,000,000 X 50,000,000,000 Bytes = 100,000,000,000,000,000 attempts

2,000,000 (signatures) X 500GB (file) = 2,000,000 X 500,000,000,000 Bytes = 1,000,000,000,000,000,000 attempts  (1 million, million, millions)

 

It does not scale.

 

Likewise, the shear number and variety of hacker attacks today, combined with Smart attacks are such that we had to invent yet another acronym: APT.   APT, or "Advanced Persistent Threat", is what i predict all (well, over 80%) of attacks to become in the immediate future.    Basically we are saying "we know what, we know whom, but we can't do didly about this".  This is tantamount to us admitting the Hackers have won.  

 

 

Old Thinking is New Again

Roger Schell, in a famous demand from the mid-1970's has warned us:  We must switch away from Black-Listing.   Black Listing, the practice of blocking 'known bad' events, processes, programs and computers from accessing our protected data resources is simply no longer relevant.   While i understand that many voice in the information security community will disagree with me, especially those affiliated with Symantec, McAfee and the such, I must issue a call for the re-birth of WHITE listing.

Under the rules of White Listing we, and in particular businesses, must create a list of "allowables".   These allowabales would include, for example:

 

  • Allowed users
  • Allowed connection (on a firewall, or on every single computer)
  • Allowed software (yes, we need to learn the signature of the software we allow on our computers)
  • Allowed addresses (just think: no more spam!)
  • Allowed traffic forms (if we don't use SNMP, why allow it in the network?)
  • Allowed time-of-day and source for individual process
  • and many more

 

While this approach will be difficult at first, the difficulty will not be technical.  We must adjust to a new format of thinking and we must teach this format.   We need to have Security reborn. 

 

Considering the forces laid out against us, do we have a choice?

Categories: General Security, Privacy Tags: , , , , , ,