When it comes to HIPAA encryption, one of the most often asked questions is whether the solution is FIPS 140-2 compliant (or NIST approved / certified / validated). When it comes to AlertBoot, the answer is “yes” but the reason why the question is asked so frequently is that, sometimes, an encryption algorithm doesn’t live up to its name.
This does not necessarily mean that someone is out to scam you (although such companies do exist); it’s just that developing adequate encryption is hard, and developing great encryption is even harder…and there’s no way to know whether a particular encryption algorithm will stand up to the fire until it’s been tested and peer reviewed.
The Dentrix Situation
In a post that delves rather deeply into the issue of cryptography, Dissent at phiprivacy.net delivers news of a PHI data breach at a clinic that uses Dentrix, a dental practice management solution produced by the company Henry Schein.
Long story short: a computer full of dental patient data is stolen, but clients need not be worried because Dentrix encrypts the data. The problem? As Dissent notes, the encryption used in Dentrix software is not really encryption, although Henry Schein reps beg to differ.
Encryption vs. Data Camouflage
As a layman working in the encryption industry, it seems to me that Henry Schein doesn’t appear to have a foot to stand on regarding their claims that their solution uses data encryption. Indeed, I kind of wonder why they’re making the claim, seeing that they’re using someone else’s encryption (at this point, “encryption”):
In June 2013, NIST basically rejected the descriptor “encryption” for FairCom’s proprietary “standard encryption” (which is what Dentrix used in its G5 version). As a result of a vulnerability brought to CERT’s attention by Justin Shafer, FairCom wound up re-branding its “standard encryption” – which CERT described as a “weak obfuscation algorithm” – as “Data Camouflage.” The CERT report includes FairCom’s description of its “standard encryption” and its new description for “Data Camouflage.” [from phiprivacy.net]
It’s fairly obvious that FairCom was forced to call their encryption solution something other than encryption due to CERT’s decision. Hence the term “data camouflage.” But I think we have to consider the (very probable) possibility that this is nothing but marketing-speak. Obviously, we should be referring to FairCom’s tool using CERT’s own terminology: “weak obfuscation algorithm.” Whatever that may be, it’s not encryption. Even more disconcerting is the word “weak” used in the description.
A further problem is that cryptologists interviewed by Dissent are in agreement that it sounds like Dentrix is not using encryption if they are using FairCom’s “data camouflage.”
Then there is the unassailable fact that FairCom, the providers of Dentrix’s encryption core, decided to drop the word “encryption” when they renamed their solution.
Is It FIPS 140-2 Validated?
None of this means that data saved to Dentrix software will be easily accessed by the computer thief or thieves. It’s also not an indication that Henry Schein is being disingenuous; they really could be under the belief that the data is properly protected.
However, this much is certain to me: under the circumstances, it doesn’t sound like the data lives up to HIPAA data encryption standards. Standards that are, incidentally, set by NIST, not HIPAA (as anyone who has read through the Federal Register knows, HIPAA defers to NIST when it comes to all the minute details related to encryption and other data security tools).
Under HIPAA, NIST is the final arbiter on what is (and what isn’t) proper encryption. If NIST has given FariCom’s encryption the kibosh, then there really isn’t any room for argument. While we can debate on the level of security provided to users of Dentrix, in terms of HIPAA policy, there is only one answer: the dentist is not covered by the safe harbor afforded by encryption under the Breach Notification Rule.