- It is important to remember that there is not a “one-size-fits-all” answer or a “solution” to the debate over whether or not data encryption should be utilized by organizations or the government, the bipartisan Encryption Working Group (EWG) explained in a recent report.
EWG has held meetings for the past year with stakeholders from private industry, the intelligence community, federal law enforcement, state and local law enforcement, civil society, and the academic community to discuss data encryption, make key observations, and find opportunities for progress.
House Judiciary Committee Chairman Bob Goodlatte, Ranking Member John Conyers, Jr., House Energy and Commerce Committee Chairman Fred Upton, and Ranking Member Frank Pallone, Jr. established EWG earlier this year “to conduct a thorough and objective review of the encryption challenge.”
“There is no ‘us versus them,’ or ‘pro-encryption versus law enforcement,’” EWG wrote in its report. “This conversation implicates everyone and everything that depends on connected technologies—including our law enforcement and intelligence communities. This is a complex challenge that will take time, patience, and cooperation to resolve.”
EWG made four main observations about data encryption:
- Any measure that weakens encryption works against the national interest
- Encryption technology is a global technology that is widely and increasingly available around the world
- The variety of stakeholders, technologies, and other factors create different and divergent challenges with respect to encryption and the “going dark” phenomenon, and therefore there is no one-size-fits-all solution to the encryption challenge
- Congress should foster cooperation between the law enforcement community and technology companies
Some of EWG’s suggested next steps could have a potential impact on the healthcare industry, and how providers, vendors, or even business associates need to approach data encryption options.
For example, EWG reviewed the idea of legal hacking, which is when “a law enforcement agency exploits a vulnerability in the digital security of a device or service in order to obtain evidence of a crime.” Similar approaches can be taken in healthcare, with either penetration tests or if a provider sends out false phishing emails to see if its employees would fall victim to such an approach.
“Many stakeholders argue that, rather than building new vulnerabilities into secure products to facilitate law enforcement access, law enforcement agencies should be given the resources to exploit the flaws in secure products that already exist,” the report’s authors explained.
However, this could also be seen as a time-intensive approach, and such resources may not be available at the state or local level.
“Other stakeholders expressed concern that a legal hacking regime creates the wrong incentives for government agencies that should be working with private companies to patch vulnerabilities and improve cybersecurity,” EWG added.
The report also addressed privacy and data security issues going forward with data encryption.
The increasing use of encryption—especially in consumer products—can be attributed, at least in part, to heightened consumer awareness and interest in online privacy and data security. Because consumers also demand the convenience and features enabled by information-sharing and third-party access to personal information, many applications now have access to expansive consumer information. Congress should further explore the role of encryption in fostering greater data security and privacy.
Furthermore, EWG said that Congress should consider how companies can “use encryption to better protect consumers’ privacy and the security of consumers’ information” and how consumers’ privacy and data security would suffer if encryption were weakened.
With healthcare, these are already key considerations for covered entities and business associates. Even though HIPAA rules state that encrypting health data is “addressable” rather than “required,” organizations should not ignore health data encryption or automatically assume that it does not apply to their operations.
There are also publications available to help healthcare organizations better understand data encryption, and how it can be properly utilized with regard to HIPAA. For example, the National Institute of Standards and Technology (NIST) published guidance on this topic. “An Introductory Resource Guide for Implementing the HIPAA Security Rule” was designed to provide more depth and insight by mapping HIPAA security controls to a standard security controls framework.