Encryption and Health Care Policy
Prepared Remarks of Solveig Singleton of the Competitive Enterprise Institute
Before the State Health Affairs Group (SHAG) of the American Hospital Association
April 10, 2001, Washington, DC
Controversially, industry analysts estimate that the cost of complying with new privacy and security rules passed under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) will total $43 billion. Of this amount about $25 billion will go to new hardware and software and training to implement the security provisions of the rule. And the failure to comply with HIPAA could be expensive as well, with fines ranging up to $250,000 and jail penalties. So the topic of encryption and health care has been booted from the realm of the obscure into the realm of the hot topic. And this is why you have a lawyer appearing before you today to talk to you about health care and really hard mathematics, not a programmer or a hospital administrator.
What I’m going to talk about today, is, first, how encryption can help solve some health care security problems; second, I’ll set out some of limits of encryptions in solving health care problems. So I’ll be talking about what encryption can do for you, and can’t do. Then I will close by outlining some policy issues surrounding the use of encryption in health care, such as the question of the circumstances under which encrypted data can be decrypted by law enforcement.
To begin, I’ll describe how encryption can keep health care information secure.
Let me begin by explaining what encryption is. Encryption uses very hard math to encode the text of a document into code. In order to transform the document back into readable “plaintext” one must know the key to the code.
The type of encryption most likely to be used in digital signatures and for email uses what is called a Public Key Infrastructure (PKI). In a Public Key system, there are two keys, a “public key” and a “private key.” The two keys are related to each other by a complex mathematical formula. The public key is publicly posted on the Internet for everyone to see. The private key is known only to the user. If the user wants to send an encrypted message, he encrypts it with the private key. The recipient can decrypt it with the public key. The recipient can use the public key to encrypt a reply, and then the end user decrypts the text using his private key.
The longer the string of digits used in the key, the harder the encryption is to break (assuming the encryption has no other flaws, so that the only method to break it is by trying every possible key—a “brute force” attack). The length of the key is measured in bits. Just a few years ago, a DES key of 56 bits was thought to be unbreakable, but today computers are powerful enough to crack such a key in just a day. The industry standard for several years has been 128 bits. But this standard will soon be obsolete. The keys planned for use to create digital signatures will be either 512 or 1,024 bits long. But a computer expert announced last fall that he had designed a computer called “Twinkle” that could crack one type of 512 bit key in around 3 days. Military applications now use 1024 bits.
Evolution to the New Model of Security for Health Care. The old model of health care security is the “island” model. The data is stored in a network that can be accessed only by certain users, in certain special rooms, using certain special computers.
This model probably will never die out for the most sensitive information. But for many health care applications it is becoming obsolete because caregivers and patients alike want access to medical records virtually upon demand, which requires a much more flexible system. The “island” model does not work for doctors and patients exchanging email. Nor does it work for a doctor in the intensive care ward who wants to call up a patient’s treatment history on a wireless device while standing next to his bed. Nor would it work to secure large files of data in transit to a third party on a different network, such as an insurance company. This is part of the reason why encryption will become important in future networks.
Another part of the reason is HIPAA’s new security rules. The new rules require that hospitals control access to patient files and install systems to authenticate the identify of caregivers accessing the files. The rules also require new security measures to ensure that stored data or data in transit must be protected by security systems that ensure:
· Message integrity—that the message is not altered in transmission
· Non-repudation—to prevent the signer of a message from later disavowing it.
· Authentication—to verify that the user and recipient are who they claim to be.
The new model of health care security involves encrypting the content of a network behind a firewall to create virtual private networks (VPNs). Highly secure networks may use 13 or more layers of encryption. These private networks are connected to the Internet and can be accessed from anywhere—but only if you are an authorized user with the right password or fingerprint or typing pattern. Encryption can also be used to keep email confidential. Encryption also allows the use of digital signatures to verify that the person who sent a document is really who he claims to be.
The Limits of Encryption. Next, I will discuss what encryption cannot do for you. In terms of HIPAA compliance or compliance with any other security requirement, using encryption will probably be necessary but not sufficient.
Encryption is best used to stop hackers or other unauthorized persons from accessing health records. But it cannot stop an employee who has authorized access from abusing his privilege to access information. The best remedies here are to, obviously, have compliance programs that emphasize that employees who breach obligations of confidentiality will be held accountable for what they have done.
And encryption is only as strong as its weakest link. That weakest link is usually a human being. Obviously, no one is going to be able to remember a 1,024 bit key. The keys may be accessible only with a password—but the vast majority of passwords that people choose for themselves can be cracked within 7 minutes! The best passwords combine the use of upper and lower-case letters and numbers—not words from the dictionary. But even such a password is not secure if someone leaves it on a sticky-note on the front of their computer. The use of biometric identifiers or typing pattern identifiers may turn out to be the best solution to this problem. But biometric technology involves even more expense.
Finally, encryption is still quite slow. It takes from 10 to 20 seconds to encrypt or decrypt messages. In a health care system that is exchanging millions of messages, this adds up to a lot of time lost.
Now I will move on to talk about encryption policy issues.
The Encryption Export Rules. Most policy issues with the use of encryption have come up at the federal level rather than at the state level. For years, encryption was regulated by national security agencies as a type of “munition.” Most of the debate about encryption policy concerned whether to lift the limits on exporting strong encryption software to other countries. There were never any limits on the strength of encryption that could be used within the United States. But limits on export hindered the development of domestic encryption for health care in the US, because software developers would not want to invest in developing one product for the US market and another for export. Within the past two years, however, the rules on exporting encryption have been relaxed, especially for health care.
HIPAA and the States. Many industries, including health care, have been involved in the debate about whether to have new laws governing privacy and security issues. This debate was answered in the area of medical privacy rules by HIPAA. But HIPAA does not preempt stricter state rules. If states begin to move to pass security standards that are different from HIPAA, some very interesting issues could emerge.
In particular, the HIPAA security rules are technology neutral. They do not stipulate use of particular software or hardware, or prefer one type of encryption over another. Some states might choose to abandon that policy and prescribe a particular technology. Whether such a standard was state or federal, is it unlikely to be workable, as government agencies tend to move too slowly to stay on the cutting edge of the technology.
HIPAA Compliance—A Moving Target. Another potential legal issue is how institutions will remain HIPAA compliant over time. Suppose a hospital installs a firewall and access control systems that uses 512 bit or 1024 bit encryption. The hospital does its best to be up to or even slightly ahead of the industry standard. But the day after their system is installed, a brilliant mathematician in New Zealand or Israel comes up with a way to crack the code and announces his results to the world! Would the hospital be HIPAA compliant on Monday but not on Tuesday? How would judges or regulators view compliance when the standard set by the technology is such a moving target?
So far, I have not heard of anyone who has written on this issue. Most providers are not far along enough to run into it. But encryption technology is changing fast enough that it may soon be a real, not merely a theoretical problem.
Law Enforcement Access to Encrypted Data and Private Keys. One of the most significant policy debates concerning encryption and health care information will turn out to be setting limits on law enforcement access to encrypted records. There are very few such limits today. However, law enforcement authorities may well request even greater access than they now enjoy.
Today, law enforcement authorities can ask a hospital or other care provider to turn over medical records to help with an investigation, particularly when billing fraud is suspected. Under the new HIPAA rules, most law enforcement requests for access will now at least create some kind of a paper trail. Obviously, hospitals are and will be required to response to a subpoena or a warrant. And this would include a subpoena or a warrant asking that a hospital turn over its private key, or the plaintext of encrypted messages.
The question is, whether users of encryption will be required to make their private keys accessible to law enforcement officers as a matter of course, at the time the keys are generated, without any subpoena, warrant, or other explicit request. For about a decade, this has been the policy of most law enforcement authorities.
For about a year, however, one has heard little of such proposals. Giving law enforcement the power to decode everyone’s email on demand—without application to a judge or accountability to any other branch of government—is a very questionable idea from a constitutional or a democratic standpoint. It may impact the level of trust that patients feel in the health care systems. There is a consensus among security experts that putting a “back door” in encrypted data especially for the police would make the entire system less secure. And for many types of encryption, the concept of the police storing a copy of everyone’s key for them is simply unworkable. Some of the strongest security systems generate a new key for every message. The police might end up with billions of keys for just one user.
It seems likely that we have seen the last of federal proposals to store a copy of everyone’s decryption keys. But it would not be surprising to see such proposals resurface among local law enforcement authorities.
Encryption is becoming more important to secure health care information because providers and patients alike want to be able to access records whenever and wherever they need them. Encryption is a necessary component of securing email and intranets and would likely be very important even without HIPAA. The new HIPAA rules have added an element of haste and urgency to the mix, so there may be some forced errors. Administrators should beware of software vendors who claim to have a one-size-fits-all solution to HIPAA compliance.
On the policy front, it remains to be seen what will emerge. There is a possibility that some states will insist on stricter standards than those imposed by HIPAA. This will lead to another major battle as the industry calls for federal preemption. There is also the possibility over a privacy battle with law enforcement over who will keep copies to private encryption keys.