Encryption and decryption from security law perspective (Part II)

July 3rd, 2009 by Olga Koksharova
Category: «Did you know that...?», «General», «Legal Questions», «Security», «Tips & Tricks»

In my previous post I suggested several variants of computer security translated by different laws. Now I’d like to get to ciphers…again viewed by law.

So, how does the law see encryption and decryption issues through glasses of security standard? First of all, it says there simply should be encryption/decryption tools available.

ENCRYTION AND DECRYPTION (A) – § 164.312(a)(2)(iv)
Where this implementation specification is a reasonable and appropriate safeguard for a covered entity, the covered entity must:
“Implement a mechanism to encrypt and decrypt electronic protected health information.”

Understood only qualified people can have access to inner sensitive data. However, again no specific hard- or software mentioned. Another critical component is auditing.

Audit Controls – Standard § 164.312(b)
This standard has no implementation specifications. It is important to point out that the Security Rule does not identify data that must be gathered by the audit controls or how often the audit reports should be reviewed. A covered entity must consider its risk analysis and organizational factors, such as current technical infrastructure, hardware and software security capabilities, to determine reasonable and appropriate audit controls for information systems…

Again and again, we read reasonable and appropriate security, encryption, audit…Each company decides for itself what is reasonable or not and having professional people responsible for IT security questions is a good idea. For an amateur, today’s world of emerging encryption opportunities can become a nightmare.

Computer security management is not only about introducing anti-viruses and password managers, it’s a multi-layer piece of cake and regular security audit is one of the top layers. You decide what means to use to safeguard privacy and data security, but you cannot omit security audit, and still it’s up to you to decide such things as audit frequency and means of audit. Kind of freedom of choice. 🙂


*Information Security Law: The Emerging Standard for Corporate Compliance by Thomas J. Smedinghoff.