Protecting Patient Privacy - Doing it Right

We previously shared this post about the wrong way of protecting patient privacy where we were sent an encrypted file together with the password.

In contrast to this previous failure, we recently received another DVD a couple days ago, again with an encrypted file, but this time, with instructions to contact the medical office directly by phone to obtain the password.  Presumably they will verify our identity and authorization before providing us the password to the file.

Since it's the weekend and their office is closed, it occurred to us that we could try breaking the encryption on the file, instead of waiting until next Tuesday to get the password.

We therefore downloaded John the Ripper, an open source password cracker, followed these instructions, and set a modern desktop (a quad-core i7 with 16GB ram) to work. 

The consequence? 0.01% of all possible passwords were tested in 24 hours, meaning it would take 100 days to test 1% of all possible passwords, 1000 days to test 10% of all possible passwords, or 10000 days to test all possible passwords.

While in theory we could speed up the process by using faster or more computers (e.g. by spinning up a large number of cloud-based servers), we'll just call the medical office on Tuesday to get the password instead of leaving our computer to guess passwords for the next 15 years.

The takeaway?  Encryption, while not absolutely fool-proof, is an important tool to protect patient privacy. It just needs to be used correctly(*).

* For the cryptography experts out there, yes, we do know that there are better methods of key exchange than having us call our counter-party medical office for the secret key. Public-key cryptography is the better answer, without a doubt. Perhaps we'll start including our public key in our requests for patient health information and see how long it takes before another medical office actually uses it to encrypt the information. ;)



Protecting Patient Privacy - Points for Effort

It's a difficult time for health care providers to practice, given the constant changes in computer technology, patient requests, and government regulations.

One particular difficulty relates to how sometimes it's easy to miss the forest for the trees when it comes to IT security, as in this DVD that we recently received from a third-party wherein the password for decrypting the files stored on the DVD was simply written on the DVD itself.

For context, Magenta Health physicians commonly request the medical records of patients from former physicians and health care facilities.  Once we send this request off, the requested documents are sent to us via various means such as fax, mail, flash drives, or DVD.

Particularly when physically mailing information, there is a risk of the package being misdirected, and accordingly, if the information is being mailed on physical media such as a DVD or flash drive, it will sometimes be encrypted.  In theory, this is a great idea, although it raises the issue of how to convey to us the password to decrypt the information.  There's no perfect answer, but what is commonly done is that the password and the information will be sent separately. This is similar to how, for example, banks send credit card PINs separate from the credit card itself.

Where this breaks down is if the password is sent together with the information, as in the image above.  In these circumstances, the entire purpose of encrypting the information on the DVD (to protect it from inadvertent disclosure) is defeated since anyone who happens across the DVD would be able to readily access the information.

Suffice it to say, this is an example of why we think it's always important to take a step back and think about, in practical terms, why a particular measure or precaution is being taken, and to evaluate whether it's being deployed and utilized correctly.