5 votes

The phone bill security hole in HIPAA

1 comment

  1. skybrian
    (edited )
    Link
    From the blog post: [...] [...] [...]

    From the blog post:

    The HIPAA standard – implicit in the deidentification rules – of what constitutes Personally Identifying Information, and how that includes phone numbers.

    Which makes sense, right? Phone numbers are incredibly easy to track down to a person associated with them. A phone number is almost as good as a social security number, to be honest. If an antagonist gets a phone number out of a record, they can pretty easily connect it with a person – especially if the antagonist knows who they're looking for, and already know that person's phone number.

    [...]

    No treater is required to have a HIPAA BAA with any phone company, whether landline or cell, if it's not VOIP. VOIP is covered by HIPAA, but regular landlines or cell phones are not.

    And I don't just mean telephone service providers don't do some sort of meaningless HIPAA paperwork. No, I mean they wildly violate the security principles HIPAA allegedly is to protect.

    Because if we all agree that telephone numbers are Personally Identifying Information, well, then, what exactly is a therapist's telephone bill with itemized calls?

    I have an ATT cell phone. I know for a fact that ATT keeps at least three months records of every number your phone connects with. It may, in fact, keep longer records than that, I just know that they keep three months because they slap that up on a website the account holder can access, and I've used it.

    That information is perfectly "digital", perfectly PII, and being held by a business with no motivation or reason to secure it to HIPAA standards (which include access logging which is actually pretty expensive to implement, so nobody does it who doesn't have to), because HIPAA doesn't apply.

    This isn't a theoretical risk, or at least is no more theoretical a risk than man-in-the-middle attacks on your email. Indeed, there are a whole variety of attack vectors here that are super plausible, and even, in some circumstances, likely.

    We're supposed to forego plaintext email because Oh No! A SysAdmin Might Read Your Patients' Emails! while the entire customer service department of ATT can help themselves to the complete list of every patient I've talked to on the phone, and it's a-okay as far as HIPAA is concerned.

    [...]

    The right solution to the security issues of email, from a healthcare perspective, where we're – quite evidently – perfectly okay with the risks of telephone service providers knowing whom a healthcare provider calls, has nothing to do with any law that devolves upon the shoulders of healthcare providers.

    Think. Why do we, as a society, have the attitude towards the security of telephone communications that we do? I mean, aside from bad habit. There's a reason. And it's a pretty good one.

    [...]

    We didn't solve the problem of the security and privacy of commercial phone service for most of a century by imposing encryption requirements. We didn't, AFAIK, have encryption to recourse to. So we solved it the old-fashioned way, by making it illegal to do the thing we thought people shouldn't get to do.

    1 vote