Monthly Archives: September 2015

Encryption – Govt. double standard – or not


The medical community is subject to unprecedented governmental requirements to protect the privacy of patient data – the governmental interest and incentives for digital storage and transmission of ePHI are clear – the safe harbor of encryption has pushed the medical community, and thereby their business Associates to achieve the highest levels of encryption.

On the other hand, the United States government stands firm in its opposition to “strong” encryption.

I believe that there  are two competing interests, privacy and security. HIPPA and the associated rules and regulations are firmly grounded in a patient’s right to privacy and therefore the balance is firmly tipped in favor of privacy. Moreover, the encryption safe harbor is somewhat illusory, if encrypted data can be accessed. While it is possible that the covered entity or business associate may not be subject to fines, they will have to notify those who are affected, and suffer the reputational loss associated with a breach.

On the other hand, the government must prevent crime, terrorism and other misdeeds, and to that end they are opposing “strong” encryption. However, in the final analysis I do not think that demands can be made on the medical community – and the business community at large which are being pushed toward impregnable encryption and functionally zero tolerance for breaches of information, while on the other hand insisting on “back doors” to make encrypted data accessible.

I believe that in the final analysis is a zero-sum game. If encryption will be “strong” enough that governments may not be able to access it through the service providers, and there will be end to end encryption, with service providers rendered unable to access the information, we will be protecting information like ePHI, sensitive personal financial information, and information that should be private. Conversely, if we allow governments the ability to access information, the privacy of law abiding citizens and the protection of ePHI etc. may be compromised.

The Basic Arguments are :

Government  – we need the ability to monitor information passing through US computer networks. This is the position of Admiral  Mike Rogers, director of the NSA.

Counterargument – if the United States has the right to have back doors for the US government (as a governmental right) other governments should have that right as well, e.g. China, Russia etc. This position was articulated by Alex Stamos, the then current security engineer at Yahoo. As an aside, Yahoo and Google are currently working on an end to end email encryption system that may be ready by the end of the year.

Government – The rise in encryption has rendered significant part of the Internet “dark” making it harder to track terrorists and other criminals.

Counterpoint- Skype seems to have end to end encryption using the Skype video service (as opposed to making phone calls on it) and therefore with respect to the criminal element all you need is one service through which criminal information is inaccessible.

Furthermore, the companies that handle the transmission of emails and other digital information say that providing any backdoor weakens encryption. Whit Diffie, A 71 year old pioneer and co-inventor of the basic approach used in most modern encryption systems seems to believe that it is counterproductive to try to build the special access governments or seeking.

It is interesting to note that the French intelligence services have been the beneficiaries of a bill that was passed in May legalizing phone tapping and email interception. With respect to England, David Cameron has proposed a ban on “strong” Encryption to ensure the terrorists do not have a safe space in which to communicate.

There are over a billion email users around the world, the use of email and digital transmission of private information is rising, as is the incidence of cyber crime, hacking by rouge nations and the the need for secure digital information and transmission.

In the final analysis it is difficult to find the exact intersection/equilibrium of crime prevention (with respect to criminals and terrorists) and the rights of privacy of law-abiding citizens.  This issue is only made more complex when the government is encouraging digital storage and transmission of the very information it rightfully demands to be held private.

What do you think.

The Falling Star of Nursing Homes – or Maybe Not


How accurate is the Five Star rating system in assisting the general public to determine which nursing home to select?

The Government Accounting Office (GAO) has accepted a request to investigate the rating system used on the Nursing Home compare website.

This request stems from a request by Senators Bob Casey (D-PA) and Ron Wyden  (D-OR) after CMS (this past February) added quality measures on antipsychotic medication use and staffing levels to the ratings displayed on the website. Apparently, the estimate was that 4,777 out of 15,500 nursing homes would see a drop of at least one star. Obviously, in a five-star rating system, the drop of one star is very significant.

Similarly, Rep. Elijah E. Cummings (D-MD) has asked for a briefing with the Centers for Medicare & Medicaid services on the website’s rating system.

As I understand it, the American Health Care Association (ACHA) has taken issue with the rating system, as it does not give proper weight to residents seeking nursing home care on a short-term basis for rehabilitation or therapy, and is heavily weighted toward long-term care.

Furthermore, there are concerns that the February changes do not really affect how well the residents will fare during their nursing home stay.

It is interesting that while the five-star system will come under review, there is no current roadmap with respect to the metrics (and relative weight) that should be employed to give an accurate five-star rating.

Obviously, HIPAA, or people’s interest in maintaining their privacy, would preclude (or at least severely limit) reviews by residents or their families in which they could give details regarding their ratings.

To the extent that we have become accustomed to rely on five-star rating systems, e.g. Amazon or eBay, which are becoming more widely accepted, and in my experience, with a little due diligence are highly accurate and predictive, it is important that five-star rating systems which DO NOT have detailed/descriptive ratings by the residents or their families,  have accurate metrics and weight, as they will be relied on for  very important decisions –  clearly more important than the average purchase on Amazon or eBay.