Dumb Privacy Rules: How Lawyers are Ruining It for Everyone

Father Guido Sarducci, comedian Don Novello’s eccumenical doppleganger, had a routine where he discussed the idea of the “5-minute University,” where he would teach you in five minutes everything you would remember about college five years after graduating (Economics? Supply and Demand). Sometimes it pays to reduce a law, regulation or policy to its essence to understand what it means. Take HIPAA and HITECH, the U.S.-based health information privacy laws and their follow-on regulations. There are hundreds of pages of laws, regulations, privacy rules, security rules, case-law and interpretations. But at the end, in Father Guido Sarducci’s course, HIPAA can be reduced to the following: “Use medical information for medical purposes, and protect it.”

On problem is that the hundreds of pages of rules and regulations—and the behavior that these rules engender— tend to obscure rather than emphasize these principles. Moving from (fake) Catholicism to Judaism, there is the concept of “gezeirah”—rules created by rabbis that are not strictly required by the Bible, Talmud or Jewish law but are intended to act as a “fence” around these rules to avoid even the possibility of violating a rule or commandment. Much of the problem with privacy and security requirements lie not with the requirements, but with the gezeirah that lawyers, regulators and risk personnel impose around these requirements. This is what I call “dumb security”: Security and privacy requirements that are not required by the rules or statute but are used as an excuse to show false compliance. Stupid stuff.

Take HIPAA. Please. As noted above, at its core, it’s a smart, common-sense rule that is intended to protect patient privacy, ensure that sensitive medical information is used for medical purposes and promote the sharing of medical information for improved patient outcomes. It’s intended to foster the development and use of electronic health records (EHR), improve information flow, promote more efficient payment systems and improve administration.

Cough, cough.

Then comes the gezeirah. Rather than promoting information flow, HIPAA is used to impede and prevent the free flow of information. Rather than setting a single standard for EHR, we have a patchwork quilt of non-interoperable data standards. HIPAA is used to keep data from patients and their families, and even to keep data from doctors and providers. And the problem is not HIPAA. It’s the gezeirah.

Recently, I stopped by my friendly DMV to get a license renewal. Because I have what is called “mono-vision” (one eye corrected for reading, the other for distance) I was unable to read the bottom line of the chart with the right eye. A simple solution would have been for me to remove my right contact lens, but I didn’t think of that in time. “No problem,” the bureaucrat said, my optometrist could fax in a form and I could get my license. So I call my chain Mr. Eye or Dr. Eye, or the Eye Guy, or whatever optometrist, they pull up my record and confirm that I am me (kinda). Great. I offer to email them the form to fill out, and provide them with the fax number of the DMV where they are waiting for the form. “Oh, we are not allowed to use e-mail,” says the optometrist office. “Why not?” I ask, knowing the answer in advance. “HIPAA.” “No problem,” I reply, “You can pull the form up from the web.” Nope. No internet access. Why not? HIPAA! But, I can fax them the form and they will fax it to DMV.

Or, consider a scenario under which my twin brother, who is a doctor, saw a patient who had stepped on a rusty nail. He wanted to treat the patient with a tetanus shot, but only if the patient had not already received one. A call to the patient’s provider to learn whether the patient had been administered such a shot previously was unavailing, as the provider refused to share the information, despite the doctor (my brother) faxing a request on his stationery (which includes his DEA number) because he, the doctor requesting the information, could not be authenticated. So the patient received a potentially unnecessary and potentially harmful procedure because of HIPAA. Well, not HIPAA, but HIPAA gezeirah.

The same is true in other areas where law and technology meet. If a law or regulation such as Gramm Leach Bliley (GLBA) requires (or suggests) two-factor authentication, we place a picture of a baseball or sailboat on the app or website and call it multifactor authentication! Voilià! Compliance!

You keep saying that word. I do not think it means what you think it means.

One of the reasons for this reaction is that it is easier to have rules-based security rather than risk-based security. The rules are  developed initially based on a risk model, but then the rules become a substitute for a genuine risk assessment. That’s why you can’t bring a toenail clipper on a commercial flight—not because it represents a genuine threat, but because it violates a rule that was developed based on a threat analysis. But when you have a rules-based system (particularly one that punishes rules violations) you lose sight of the real objectives. Following the rules becomes the goal.

Each individual decision is not stupid or dumb, but they result in a system which is dumb. If you call the hospital to find out how your mom is doing, they will refuse to tell you because (a) they can’t validate who you are; (b) they can’t validate that you are authorized to receive the information; (c) they can’t transmit the information over an insecure mechanism; or (d) some other reason they can’t give you the information. But HIPAA expressly permits the sharing of patient information with family members in most circumstances. Don’t believe me? Just Google it on the HHS website. It’s not that difficult. But under the gezirah, almost every provider will tell you that they aren’t permitted to share this data—because if you share the data when you are not permitted to, you will get into trouble and potentially have a breach. But if you don’t share the data when you are permitted (required?) to do so, nothing happens except that the patient and their family are inconvenienced and potentially harmed. So lawyers and compliance officers have trained their staff to the gezeirah and not to the rule. Or dumb security.

The problem isn’t really lawyers. They are trying to avoid liability. But failing to do what you are permitted to do is sometimes as bad as doing what you are not permitted to do. At the end of the day, the important thing to do is what makes common sense. And at the end of the day, that’s usually what the law requires as well.

Mark Rasch

Avatar photo

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for SecurityCurrent.com, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 203 posts and counting.See all posts by mark