[ Friday, August 12, 2005 ]


"I shot an arrow in the air, it fell to earth I know not where. . . ."

That's a line from a poem, and not exactly what I want to talk about, but it's what popped into my ADD-addled brain at the time. What I want to talk about is encryption of emails containing PHI sent over the internet. "Must encrypt" say the tech-police robots. I say to such robots, "Not so." The Security Rule made encryption an addressable, not a required, implementation specification. And besides, intercepting an email while it's traveling over the internet is like catching an arrow in mid-flight. In a usual email transaction involving encryption, the sender has the PHI in clean form on his computer, encrypts it and attaches the encrypted file to an email, sends the email, which is received by the recipient in encrypted format; the recipient decrypts the file and stores it on his computer in clean format. The PHI exists in clear form on the sender's computer from the time it is entered until the time it is deleted (and even longer, really, until the disk space where it resided is reformatted and written over); it exists in clear form on the recipient's computer from the time the recipient decrypts it until the recipient deletes it (or even longer, yadda yadda); and it exists in encrypted format for a fraction of a second on any number of servers over which the email is routed in cyberspace. Of all the time and opportunities to improperly access the PHI, the least likely risk is when it's in motion in cyberspace, but that's where folks get ga-ga over encryption. In the scenario above, it's like being worried that your car doors are locked while you are driving 65 MPH down the interstate, but not being worried about locking the doors while your car is parked in the driveway at night. Sure, there's a risk that James Bond or Tom Cruise will rappell down from a helicopter while you're driving down the interstate; but that's an awfully small risk compared to the risk when your car is sitting in the driveway at 3:00 am.

That's what gets people going, though. Encryption of emails. I've pooh-poohed it because of the relative risk question, but there's another reason to pooh-pooh it: you don't encrypt your phone messages, do you? Is there a greater risk of your emails being intercepted than your phone calls being intercepted? Not much of one; presumably phone circuits are more closely controlled than internet circuits (you never know what route your email will take, really), but wouldn't someone have to be involved in criminal conduct as great as wiretapping to intercept your email?

That's what sent me off on this tired tirade this morning: this case. Brad Councilman was a vice president of a rare book dealer that offered a free e-mail service to customers. He allegedly began intercepting any e-mails sent to his customers by Amazon.com, read the messages to see what Amazon was offering, so he could determine what offers to make the same potential customers. A grand jury indicted him for violating federal wiretap laws. His lawyers fought the indictment, saying that the wiretap law did not apply. A federal district court agreed and tossed the indictment. The DOJ appealed, but a three-judge panel of the US Court of Appeals in Boston confirmed the indictment-quashing. The DOH got all seven appeals court judges to hear the case, and the full panel reversed the trial court and the 3-judge panel, ruling that Councilman could be tried under the wiretap law. ''The term 'electronic communication' includes transient electronic storage that is intrinsic to the communication process," the court said, ''and hence that interception of an e-mail message in such storage is an offense under the Wiretap Act." Councilman denies even peeping at the emails, but the court determined that if he peeped, he must be a creep. Or something like that.

My point, to the extent I have one, is this: just as your biggest privacy risk is your employee pool, and not some 14-year-old Russian hacker, your biggest encryption need is probably in your PHI at rest, not your PHI in transit. G'won, encrypt those internet emails if you want to, but don't be afraid to realize that you're spending some valuable resources (time, if not money) doing so, when greater risks may lie elsewhere.

(hat tip to Alan Goldberg for the Boston story, BTW.)

Jeff [11:14 AM]

Rant away, Brother---
I'm doing the same thing. The sooner folks realize that the biggest threat is inside the firewall, the better. I spent over an hour Saturday explaining how create a strong password to someone who understood that the risk was at her desktop. That hour was well spent--- sadly, much of the time when I consult, the client's money and my breath is wasted, because they buy the high-octane firewall and ignore who lives inside of it.
Post a Comment
http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template