Data Encryption

The medical community is subject to unprecedented governmental requirements to protect the privacy of patient data – the governmental interest and incentives for digital storage and transmission of ePHI are clear – the safe harbor of encryption has pushed the medical community, and thereby their business Associates to achieve the highest levels of encryption.

On the other hand, the United States government stands firm in its opposition to “strong” encryption.

I believe that there are two competing interests, privacy and security. HIPPA and the associated rules and regulations are firmly grounded in a patient’s right to privacy and therefore the balance is firmly tipped in favor of privacy. Moreover, the encryption safe harbor is somewhat illusory, if encrypted data can be accessed. While it is possible that the covered entity or business associate may not be subject to fines, they will have to notify those who are affected, and suffer the reputational loss associated with a breach.

On the other hand, the government must prevent crime, terrorism and other misdeeds, and to that end they are opposing “strong” encryption. However, in the final analysis I do not think that demands can be made on the medical community – and the business community at large which are being pushed toward impregnable encryption and functionally zero tolerance for breaches of information, while on the other hand insisting on “back doors” to make encrypted data accessible.

I believe that in the final analysis is a zero-sum game. If encryption will be “strong” enough that governments may not be able to access it through the service providers, and there will be end to end encryption, with service providers rendered unable to access the information, we will be protecting information like ePHI, sensitive personal financial information, and information that should be private. Conversely, if we allow governments the ability to access information, the privacy of law abiding citizens and the protection of ePHI etc. may be compromised.

The Basic Arguments are :

Government  – we need the ability to monitor information passing through US computer networks. This is the position of Admiral  Mike Rogers, director of the NSA.

Counterargument – if the United States has the right to have back doors for the US government (as a governmental right) other governments should have that right as well, e.g. China, Russia etc. This position was articulated by Alex Stamos, the then current security engineer at Yahoo. As an aside, Yahoo and Google are currently working on an end to end email encryption system that may be ready by the end of the year.

Government – The rise in encryption has rendered significant part of the Internet “dark” making it harder to track terrorists and other criminals.

Counterpoint- Skype seems to have end to end encryption using the Skype video service (as opposed to making phone calls on it) and therefore with respect to the criminal element all you need is one service through which criminal information is inaccessible.

Furthermore, the companies that handle the transmission of emails and other digital information say that providing any backdoor weakens encryption. Whit Diffie, A 71 year old pioneer and co-inventor of the basic approach used in most modern encryption systems seems to believe that it is counterproductive to try to build the special access governments or seeking.

It is interesting to note that the French intelligence services have been the beneficiaries of a bill that was passed in May legalizing phone tapping and email interception. With respect to England, David Cameron has proposed a ban on “strong” Encryption to ensure the terrorists do not have a safe space in which to communicate.

There are over a billion email users around the world, the use of email and digital transmission of private information is rising, as is the incidence of cyber crime, hacking by rouge nations and the need for secure digital information and transmission.

In the final analysis it is difficult to find the exact intersection/equilibrium of crime prevention (with respect to criminals and terrorists) and the rights of privacy of law-abiding citizens.  This issue is only made more complex when the government is encouraging digital storage and transmission of the very information it rightfully demands to be held private.

What do you think.