AXEL.org

encryption

The History and Modern Uses of Encryption

Codebreaking has long been a staple of futuristic sci-fi movies. So many times when we go to the movie theater, we’ll see a sunglasses-donned man typing furiously at his computer, trying to break a seemingly unbreakable computer code. And more often than not, the man cracks the code in just a matter of seconds, showing the audience just how astute the man is. However, this stereotypical portrayal of hackers and codebreaking, thankfully, is not grounded in reality.

In the real world, encryption technologies are much more complicated than Hollywood likes to present. No single hacker is ever breaking modern encryption technology by themselves, thanks to its incredible security in the modern-day. But, what exactly is encryption? It’s certainly used as a cybersecurity buzzword, but what about encryption actually keeps your files safe? 

Well, simply put, encryption is a code. A user enters legible information, known as plaintext, and then encryption software encodes the plaintext into ciphertext, an illegible string of characters. It can be a code as simple as A=1, B=2, C=3 and so on, or something as complicated as AXEL Go’s 256-bit encryption. After the translation from plaintext into ciphertext, only authorized members with a “key”, a piece of information that decrypts encoded information, can translate the ciphertext back to readable plaintext. This relatively simple process has revolutionized cybersecurity, allowing an extra, vital layer of protection between someone’s information and unauthorized users.

The History of Encryption

Some may believe that encryption started with the invention of the computer. However, the practice of encoding information has been popular (and necessary) long before the Digital Revolution. Encryption was first used by Ancient Greeks and Egyptians to conceal secret information. In fact, the earliest known example of encryption was found in ancient Mesopotamia, when a scribe used symbols to hide a formula for pottery glaze[1]. Later, this method was used to protect military secrets and strategies, a practice still used today. 

Centuries later, encryption technology became much more advanced. By the beginning of World War II, encrypted communications during war was the norm for all nations. The Axis powers used an Enigma machine, an encryption device that used rotating wheels to scramble plaintext into ciphertext. However, the Allied powers quickly learned how to decrypt these messages through brute force, using computers to try all combinations until the key was discovered[2]. Although computers were just in their infancy during World War II, the successful decryption of the Enigma machine highlighted just how powerful and secure computers can be, especially in the field of encrypted communications.

Following the Allied victory, encryption technology advanced exponentially. Computers gained more and more processing power, making encryption devices, such as the Enigma, artifacts of the past. Now, computers have become so powerful that brute force attacks simply are not feasible. For example, the United States military and AXEL Go use the Advanced Encryption Standard (AES), which contains a 256-bit sized encryption key. While 256 bits may not seem like a lot, this means that there are 2256 possible key combinations, or 1.158 x 1077 combinations. To put this number in perspective, there are only an estimated 7.5 x 1018 grains of sand on Earth[3]. It’s safe to say that modern-day encryption is incredibly secure.

How is Encryption Used Today?

In the earlier days of encryption, cracking encryption keys was difficult, but not impossible. Now, however, cracking modern-day encryption technology is impossible without human error. That’s because it would take the world’s most powerful supercomputer millions of years to go through the number of possible key combinations in AES encryption[4]. Because of this incredible amount of security, encryption isn’t just used by governments any more. Any large company that stores customer data uses encryption as an extra layer of defense against unauthorized cybercriminals. With encryption, even if attackers gain access to a company’s data, they’d need a key to translate the ciphertext into legible plaintext. And as long as the encryption key is stored safely, no outsiders will be able to decrypt that data.

However, it’s important to note that not all encryption is built the same. In fact, there are two broad categories of encryption: Symmetric Key and Public Key. Symmetric Key encryption uses the same key to encrypt and decrypt the data. This simpler method is the most used, as it executes the encryption quickly[5]. Public Key, however, uses a public, shared key for encryption, and a different, private key for decryption. Because of the complex logic required for Public Key encryption, it is not as popular[5].

Unfortunately, some have begun to use the incredible power of encryption for less-than-savory reasons. Cybercriminals typically use encryption during ransomware attacks to encrypt the victim’s files. And because modern-day encryption is so secure, victims typically must either pay the ransom to the cybercriminals in exchange for the decryption key, or simply lose all of their encrypted files forever[6]. Even worse, the targets of these attacks can range from individuals to entire governments. That’s why it’s important to use cybersecurity strategies when handling any amount of shared cloud files. While encryption technology has done so much good in the fields of secure communications and cybersecurity, it has also been taken advantage of by criminals who wish to harm individuals and businesses for a quick buck.

Why Encryption Matters

From its humble beginnings in Ancient Mesopotamia to its complex usage today, encryption has been a useful tool for centuries because of one simple philosophy: Not everything should be public. Whether you’re handling your government’s top-secret documents or your grandmother’s top-secret pumpkin pie recipe, encryption is the best way to ensure secure communications. 

AXEL believes that privacy is a human right, and that your information ought to be protected. Put simply, we believe that you should control your data and who gets access to it. That’s why we created AXEL Go. AXEL Go uses AES encryption, blockchain technology and decentralized servers to ensure it’s the best file transfer software on the market. Whether you need cloud video storage or cloud file management, AXEL Go is the secure file hosting solution. In today’s Digital Age, secure file sharing is a necessity for businesses and individuals. If you’re ready to try the best file sharing app for PC and mobile devices, get two free weeks of AXEL Go here.

[1] “History of Cryptography.” Binance Academy. Binance Academy, August 24, 2021. https://academy.binance.com/en/articles/history-of-cryptography

[2] “Colossus.” The National Museum of Computing. Accessed November 23, 2021. https://www.tnmoc.org/colossus

[3] Dotau, Sean. “All You Need to Know about 2^256.” Talk Crypto Blog, April 8, 2019. http://www.talkcrypto.org/blog/2019/04/08/all-you-need-to-know-about-2256/

[4] Nohe, Patrick. “What Is 256-Bit Encryption? How Long Would It Take to Crack?” Hashed Out by The SSL Store, June 11, 2021. https://www.thesslstore.com/blog/what-is-256-bit-encryption/

[5] “Exploring the Differences between Symmetric and Asymmetric Encryption: Cyware Hacker News.” Cyware Labs. Cyware, November 30, 2019. https://cyware.com/news/exploring-the-differences-between-symmetric-and-asymmetric-encryption-8de86e8a

[6] Johansen, Alison Grace. “What Is Encryption and How Does It Protect Your Data?” Norton, July 24, 2020.                   https://us.norton.com/internetsecurity-privacy-what-is-encryption.html

Lawyers are the New I.T.: Tech Tips for Legal Professionals

As workplaces embrace modern technology more than ever before, knowledge of that technology is essential. No matter your job, employees must possess some amount of technical skill in order to maintain efficiency and complete their tasks. Even the most traditional law firms in the United States use some amount of technology. However, no matter if you work at a more traditional firm or one that has gleefully embraced legal tech, we can all become more advanced and efficient with our technology.

From increasing efficiency to protecting your business (and your clients), these tech tips will help ensure your firm is offering the very best.

Embrace New Tech

This may sound simple, but embracing new technology is one of the best ways to stay efficient and safe in the workplace. No, you don’t have to buy new computers every six months, but being aware and researching new programs can give you an edge over the competition. Find out what software can help automate your tasks, or what legal tech program saves your firm valuable time.

The best businesses are all embracing the technology that is available to them. However, change can certainly be scary. After all, many of us learned to work from home, using new software and programs that we weren’t used to. It was undoubtedly stressful to learn so many new programs in a short amount of time. But after a bit, we got used to it. We mastered the new technology, and are more efficient and successful because of it. Using new technology can be daunting, but it undoubtedly helps yourself and your business in the long run.

Update, Update, Update

Updating your software is one of the most important (and easiest) tech tasks to complete. We’ve all seen them and occasionally ignore them. Restarting a device in the middle of a workday can certainly be annoying, but it’s vital to do so. Software updates patch security holes and other vulnerabilities in your software. And as we’ve seen with the numerous ransomware attacks this year, cybercriminals will find these vulnerabilities and exploit you and your business without hesitation. Updating your operating systems and security software will give you more protection against these threats.

Take Advantage of Free Trials

Many legal tech providers offer free trials of their products for firms. Use them! Test out new programs often to see if it works for your firm. Don’t become complacent simply because you’re used to a certain software. If there’s software that fits your firm’s needs better, try it out.

Technology has never been stagnant; it advances quickly, and new programs that maximize efficiency can come quickly as well. Being open-minded about new programs and software will help ensure your firm is as efficient as possible. Of course, this doesn’t mean you should change your entire firm’s software every week, but learning about and testing out new programs will keep you knowledgeable about the technology that could potentially help your firm. And when a new program comes out that works perfectly for your workplace, you’ll be the first to take advantage of it.

Learn Your Technology

Most of us know the basics of computers and common software, but there are so many more things to learn. From the classic “Ctrl + C” and “Ctrl + V” for copying and pasting to the most advanced Excel commands, there are so many ways to maximize efficiency with shortcuts. Take an afternoon to learn and practice shortcuts that can help your efficiency at the office. And when your business upgrades to new software, learn that software quickly as well! Learning the ins and outs of programs can save you hours per day, leaving more time available for other projects.

In addition to learning about your technology, you should learn what to do when the technology suddenly stops working. From Internet outages to hardware malfunctions, be aware of common troubleshooting techniques to help prevent costly, efficiency-killing problems throughout the office. Learning these techniques can save you both time and money.

Backup Your Documents

Unfortunately in today’s digital era, online documents are constantly in jeopardy. Security holes, data breaches, and cybercriminals all pose a threat to data in the cloud. The solution? Make sure your data is available offline. This means putting your documents (yes, all of them) onto a physical hard drive, safe from online dangers.

In addition, you should update your hard drive often. Don’t make it a one-and-done task; update your hard drive monthly. This ensures that all of your data, including your most recent documents, are safe and secure from cybercriminals and ransomware attacks. After all, they can’t hold your data hostage if you already have it offline. So while this is a monthly task that takes some time, it gives yourself and your business peace of mind, with the knowledge that your data will always be available.

Encrypt Your Data

Finally, to truly protect your data, encryption is the way to go. Encryption changes your data into a code, and can only be accessed with a “key” to that code. This means if hackers got ahold of your encrypted data, they would have nothing of value. It really is the ultimate form of protection from cybercriminals and data breaches.

However, not all encryption is built the same. For example, AXEL Go, AXEL’s file-sharing and cloud-storage software, offers industry-leading AES 256-bit encryption. While 256-bit encryption may not sound impressive, in practice, it is astoundingly secure. The number of potential combinations to find the “key” is a massive 78-digit number. Experts estimate it would take the world’s fastest supercomputer billions of years to find the encryption key. So even if thieves got their hands on your encrypted data, it’s worthless to them, but usable for you.

Get Two Free Weeks of AXEL Go

If you’re ready to embrace new technology and protect your data, try two free weeks of AXEL Go. AXEL Go is a file-sharing software with an unwavering focus on security. AXEL Go lets employees share, store, and collect documents securely, all in a simple, easy-to-understand user interface. Offering blockchain technology, military-grade encryption, and digital “shredding,” AXEL Go offers the perfect marriage of simplicity and stringent security. To try AXEL Go for free for two weeks, click here.

Encryption: The Past, Present, and Future

Encryption is a hot topic these days. Governments worldwide are attempting to control it via legislation like the United States’ EARN IT Act, and it is the bane of law enforcement agencies everywhere. But, what’s the big deal about it? In this blog, we look to go over a brief history of the subject, the current state of affairs, and what the future holds.

The history

The word encryption derives from the Greek word kryptos,which means hidden. It is a way to store and share information privately so that only the intended recipient can understand its meaning.

Unsurprisingly, the need for discrete communication stretches far back into recorded history. To understand how the early forms of cryptography worked, first, we’ll define the most common methods ancient peoples used.

  • Transposition. A transposition cipher (code) is where the sender rearranges letters in a word to make them appear garbled to unknowing viewers. This rearrangement follows a predefined system only known to the sender and recipient. The recipient decodes the message using the predefined system and can then understand the message.
  • Substitution. A substitution cipher replaces characters with other characters according to predetermined rules. For example, all Es get turned into Rs, Ts into Bs, etc.

Ancient encryption

The most famous early form of encryption is used in the Old Testament of The Bible circa 500-600 B.C. Here the Hebrew writers use a substitution cipher known as Atbash[1]. Atbash simply reverses the order of the alphabet (A becomes Z and so on). The Book of Jeremiah contains passages where proper nouns are referred to only in Atbash.

Later, in 487 B.C., the Spartans used a transposition cipher called ‘scytale’ to communicate during military campaigns[2]. Here, they used a rod of a specific diameter and wrapped a piece of parchment with the encoded message around it. Once bound, it revealed the true meaning of the message.

Speaking of military operations, Julius Caesar favored a substitution cipher to give orders and receive updates from his generals in the field[3]. This method moved each letter three to the right (A becomes D, S becomes V, etc.)

These ciphers worked well until mathematicians began noticing patterns in the prevalence of certain characters in the 9th-century A.D[4]. They cracked the code, which resulted in the creation of more modern forms of cryptography.

From the 15th-century through WWII

Leon Battista created the first polyalphabetic cipher in Italy around 1467 A.D.[5]. Polyalphabetic ciphers use a combination of multiple alphabets, which dramatically increases encryption’s effectiveness. Batista also developed the cipher disc, a mechanical device that uses various concentric wheels with letters inscribed on them to encode and decode messages. It’s no wonder that he’s known as the ‘Father of Western Cryptology.’

Fast forward to the middle of the 19th century. Famous writer Edgar Allan Poe had readers send him ciphered messages, which he attempted to decode in a weekly paper[6]. It’s interesting to think about Poe sitting in his study taking a break from authoring classic tales to nerd out on some secret messages. Eventually, he even penned an essay on cryptography that the British Army used in World War I to break German ciphers. So, we’re lucky he had such a hobby!

World War II is when cryptography became a well-known issue. The Nazi Enigma machine was a highly complex encryption tool that used an electromechanical rotor system to scramble letter input by an attached keyboard.  Polish mathematicians had been able to replicate Enigma machines in 1932, but the British and French forces couldn’t decode German messages as late as 1939. The Allies brought in the Polish codebreakers, and by the time the war was in full effect, they could decipher the Nazi’s secret messages. Changes to the machine and codes throughout the war still made it very difficult, however. This led to Britain’s Alan Turing’s innovative decryption techniques[7] that may have shifted the war in the Allies’ favor.  

Modern encryption

That brings us to the modern era. Cryptography really matured as a field of study with the advent of computer technology. Instead of relying on complex mechanical devices, computers could use mathematical equations and algorithms to create better encryption. The two common algorithms used today are the Symmetric Key Algorithm and the Public Key Algorithm.

Symmetric Key Algorithm. In cryptography, keys are the mathematical parameters used to encrypt and decrypt data. The Symmetric Key Algorithm utilizes the same key for encoding and decoding. The method can encrypt information in chunks (called a block cipher) or by individual characters. Examples of the Symmetric Key Algorithm in practice include:

  • DES (Data Encryption Standard). Developed in 1975, DES became the Gold Standard in encryption for a period. It is a block cipher that uses a 56-bit key. While this was suitable in the 70s and 80s, it is not used anymore due to advancements in computer processing power. Computers today could brute force crack a 56-bit key in a matter of hours.
  • AES (Advanced Encryption Standard). AES builds off the DES algorithm and makes it significantly more secure. It has variants that feature 128-bit, 256-bit, and 512-bit keys. AES 256-bit encryption is the official standard for U.S. government agencies such as the NSA. Incidentally, it is the algorithm AXEL Go uses to encrypt file passwords. Experts estimate it would take billions of years to brute force crack[8].

Public Key Algorithm.  Public Key Algorithms, on the other hand, use two different keys for encryption and decryption. This provides even safer encryption and is used in the RSA token system, digital signatures, and blockchain technology.

The future of encryption

While modern encryption is fantastic at protecting data against commonly-used cracking methods, it isn’t completely future-proof. Analysts expect that if quantum computing becomes powerful enough, the algorithms used today could be easily cracked[9]. This is concerning, but it seems as if the industry is aware of the potential problem. First off, the prototype quantum computers of today aren’t capable of such feats, and the tech is tricky in general. It’s unknown if quantum computers will ever get to the point of being useful. Even if it happens, however, there are already quantum-safe encryption algorithms. Software developers will need to update their products accordingly before these quantum computers become commonplace and readily available.

AXEL – At the cutting edge of technology

AXEL developers are at the forefront of the privacy technology movement. That’s why our secure, private file-sharing and cloud storage software AXEL Go already incorporates military-grade AES 256-Bit encryption and blockchain technology. Undoubtedly, we will keep up with the times and shift our encryption strategy as it becomes evident we need to upgrade. We’re always looking for new ways to improve the security and privacy of our platform.

Sign up for a free AXEL Go account today and receive a 14-day trial of our Premium Service with all features unlocked. You will love the peace of mind proper data security affords you. Join the privacy revolution today and download AXEL Go.

[1] Jenny Kile, “The Atbash Cipher and Jeremiah 51:1”, MysteriousWritings.com, https://mysteriouswritings.com/the-atbash-cipher-and-jeremiah-511/

[2] Milica Djekic, “Scytale – Cryptograph of the Ancient Sparta”, OzScience.com, Nov. 11, 2013, http://ozscience.com/technology/a-scytale-cryptography-of-the-ancient-sparta/

[3] Jason Andress, “The Basics of Information Security”, ScienceDirect.com, 2014, https://www.sciencedirect.com/topics/computer-science/caesar-cipher

[4] “Code Breaking a Thousand Years Ago”, 1001inventions.com, https://www.1001inventions.com/feature/code-breaking/

[5] William Servos, “The Alberti Cipher, trincoll.edu, April 25, 2010, http://www.cs.trincoll.edu/~crypto/historical/alberti.html

[6] R. Morelli, “Edgar Allan Poe and Cryptography”, trincoll.edu, May 3, 2018, http://www.cs.trincoll.edu/~crypto/historical/poe.html#:~:text=Like%20other%20literary%20figures%20of,application%20of%20reason%20and%20logic.

[7] “How Alan Turing Cracked The Enigma Code”, IWM.org.uk, https://www.iwm.org.uk/history/how-alan-turing-cracked-the-enigma-code

[8] Mohit Arora, “How secure is AES against brute force attacks?”, EETimes.com, May 7, 2012, https://www.eetimes.com/how-secure-is-aes-against-brute-force-attacks/

[9] Stephen Shankland, “Quantum computers could crack today’s encrypted messages. That’s a problem”, CNet.com, May 24, 2021, https://www.cnet.com/news/quantum-computers-could-crack-todays-encrypted-messages-thats-a-problem/

You Can’t Crack Good Encryption But You Can EARN IT

Encryption is a hotly debated topic these days. Privacy advocates love it; governments and law enforcement are less enthusiastic. One of the most significant discussions regarding encryption at the moment is the United States’ EARN IT Act. This controversial piece of legislation could have major privacy implications moving forward.

The EARN IT Act’s journey

On March 5, 2020, a bipartisan group of U.S. politicians, including Sen. Lindsey Graham (R-South Carolina), Sen. Richard Blumenthal (D-Connecticut), Sen. Dianne Feinstein (D-California), and Sen. Josh Hawley (R-Missouri) introduced the EARN IT (Eliminating Abusive and Rampant Neglect of Interactive Technologies) Act. The legislation aimed to curb online child sexual exploitation through the creation of a national commission.

The commission

The act establishes a government commission consisting of 19 appointed individuals from various sectors. It includes high-ranking officials from the Department of Justice, the Department of Homeland Security, the Federal Trade Commission, as well as representatives from top law enforcement agencies, constitutional law experts, survivor groups, and more.

The commission would be responsible for devising a set of “best practices” that online companies would need to follow to maintain immunity from liability regarding third-party content posted on their platform. Congress would review and approve the list of mandated best practices. Once approved, the commission would need to certify companies as compliant with the policies before they received immunity. Simply put, immunity is not guaranteed. Online organizations would have to “earn it” (see what they did there?)

Businesses that do not follow the standard set of best practices would need to prove they have reasonable alternative methods to prevent child exploitation on their platform. As deemed by the commission, those who do not meet the minimum standards would be liable for lawsuits from sexual exploitation victims.

Amendments to the bill

This summer, while making its way throughout the Senate Judiciary Committee, lawmakers altered the bill to empower the states to form their own rules. The commission would still be retained along with its guidelines for best practices. However, it is now up to the states to bring civil and criminal lawsuits against content platforms that don’t do enough to prevent child exploitation.

In either form, the EARN IT Act, at its core, attempts to erode the legal protections stipulated by Section 230 of the Communications Decency Act of 1996. And It could create obstacles for the use of encryption technologies.

Section 230

The Communications Decency Act of 1996 is a component of the more comprehensive Telecommunications Act of 1996. This was the first law that incorporated the Internet into broadcast regulations. Section 230 of the CDA states:

No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.

This means that content platforms aren’t liable for the content people post on them. It protects them from all sorts of nasty legal situations.

The most current form of the EARN IT Act affords states more leeway to decide whether a content platform is culpable for sexual crimes committed against minors.

The effect on encryption

So, how does this relate to encryption? If passed, the EARN IT Act significantly weakens the utility of it. The first iteration never specifically mentioned encryption, although the implications to the technology were evident. If, for instance, the government held social media websites liable for facilitating child exploitation via encrypted messages, why would the platform ever allow encrypted messages in the first place?

The whole point of encryption is that the centralized platform doesn’t have the keys to decrypt messages between two private parties. This ensures privacy and that Big Brother isn’t watching over your shoulder. Section 230 prevented roadblocks to encrypted communications. But, if the government can hold the content of encrypted messages against a business in civil or criminal cases, the organization has a massive incentive not to offer encryption services.

The amended EARN IT Act that passed through the Senate Judiciary Committee does mention encryption. In fact, it stipulates that end-to-end encryption by itself is not a reason to remove the Section 230 protections for a company. On the surface, this looks like a more reasonable bill. However, it suggests that organizations scan messages before being encrypted to check for suspicious exploitative content. If any is present, they would have to forward them to the proper government authority for closer scrutiny. The practice is called “client-side scanning.”

So, would this really allow for end-to-end encryption? It appears to undermine its usefulness when companies scan every message before transmission.

Far-reaching consequences

AXEL is a data custody and privacy advocate. Our file sharing and storage platform, AXEL Go prioritizes privacy and security. We provide the option to use encrypted password protection for all shared files.

We understand that this is a complex issue, and we want to prevent the exploitation of minors. However, this legislation could have a chilling effect on privacy and the future of encryption.

Encryption is a tool. It isn’t only useful for criminals. Privacy is a right for everyone, and this technology helps facilitate it. It doesn’t just hide your data from governments and corporations, but also malicious agents. Data breaches happen on a daily basis. If the hackers only score encrypted data, the haul ends up being useless. It helps prevent identity theft, as well as stolen credentials and payment information. Encryption is a part of the solution, not the problem. We can usher in a better online experience. One that isn’t fraught with invasions of privacy and data collection. Client-side scanning of all messages is not on the path toward this future.

If you’d like a secure, private file sharing and storage platform, download AXEL Go. It’s an easy-to-use program available on Windows, Mac, iOS, and Android devices. It uses secure technologies such as blockchain, the InterPlanetary File System (IPFS), and the aforementioned password encryption to ensure your data stays safe and confidential. Sign up for one of our free, Basic accounts and you will receive 2GB of free online storage, along with enough of our AXEL Tokens to fuel thousands of shares across our decentralized network.

How To Sound Like A Cybersecurity Expert

Cybersecurity is a buzzy topic these days. Everyone seems to be clamoring for tips on how to stay safe online, and you read in a listicle somewhere that cybersecurity is currently one of the fastest growing fields. So how can you get a piece of the respect and professional prestige that a cybersecurity expert might have? Simply follow these tips.

Warn people about social media

Inform people that by posting photos of their brunch on social media, they are giving hackers and state actors the tools necessary to take you down.

But actually, that’s too specific and information-y to remember, and it’s kind of a downer. Make your warnings vague, as in, “that Facebook is up to no good!” or “be careful about Twitter!” This way, when the next terrible Facebook or Twitter thing happens, people will recognize your prescience.

Bring encryption up often

Now, you may not know what encryption is, and I certainly don’t, but what we do know is that it’s somehow important to cybersecurity experts. Talk about it a lot, and if you encounter someone whose knowledge on encryption is more advanced than yours, simply run away.

Make a big deal out of the dark web

Studies have shown that people love hearing about the dark web. Take advantage of this fact to improve your social standing by making a huge honkin’ deal out of the dark web whenever you can.

If you see someone holding a credit card, mention that there’s lots of stolen credit card information on the dark web. This will confuse them into thinking you can help them keep their credit card information off the dark web.

Extra points if you can explain to people what TOR stands for. But if someone actually asks you how it works, this is again the moment to simply run away.

Loudly proclaim that quantum computing is the future of cybersecurity

This is certainly true. Don’t ask me why.

If someone asks you to elaborate on your claims, run away.

Chant “identity, not perimeter” to anyone in your general vicinity

The idea here is that perimeter security, or the mighty firewall as some call it, will be overtaken by identity and access management security, which allows for more granular permissions to be set, and ensures that even if someone does breach the firewall, they won’t have access to everything.

But that’s sort of a long thing to remember, so just remember the chant. If anyone asks questions about the chant, tell them to stop interrupting the chant.

Start a group chat to share cybersecurity articles you don’t understand

You’re not legit until you’re sharing articles saying common facts that we all know about like “phishing is a thing,” and “hackers have our data.”

To solidify your standing as a thought leader, however, you need to take it one step further. Sharing articles about concepts you don’t understand will allow you to rise to the top of the cybersecurity fake expert field. Look for a title like “why you NEED quantum encryption TOR identity blockchain security NOW.” If someone asks you what that means, tell them it’s too late for them if they don’t know.

A HIPAA Breach

A HIPAA breach can cripple your medical practice

Over the last few months we have discussed HIPAA in very general terms.  I have tried to impart some of the basics of its security and privacy obligations upon each of you, while ignoring the rest of the Act.

Certainly, it is a massive undertaking to fully grasp all of HIPAAs ins-and-outs, and I will not ever try to bore you with the entire 5 sections of HIPAA.  So if you need to know about Insurance Portability, Tax Matters, Group Plans, or Revenue Offsets, please feel free to read the other four Titles.

Now that we have discussed what information is subject to HIPAA and who is responsible to keep and control electronic protected health information (ePHI), it’s a good time to learn what I like to call the “so what?” of HIPAA.  As I travel, meet, speak with, and interact with doctors, I am often presented with the “so what?” response.

Many doctors have told me: “Steve I understand that HIPAA exists, but we have always done it this way.  I think we are compliant.  Or we don’t know how to fully comply.”  And almost all those conversations end with “so what if we are not compliant, no one will even look at my little office to audit us.”

So, I realized that I needed to do a little more in this blog. Let’s discuss what a breach is, what you have to do if you are in breach and finally the “so what?”, namely what are the fines?

Let’s first learn what a “breach” is and is not.  A breach can be defined as the acquisition, access, use, or disclosure of protected health information in a manner not permitted, which compromises the security or privacy of the protected health information.

This means that if protected health information is in the possession of the wrong person and they can read it, a breach exists.  If you give Jan Smith’s records to Jane Smith, there is a breach.  Or if you fax medical records to (702) 555-1234, but the patient’s number was (712) 555-1234, you have a breach.

It’s these little mistakes that plague offices at times.  Most certainly, if your patient charts are on your laptop and it’s stolen, that’s a breach.  Should your server be accessed due to a hacking incident, or if you email a patient’s records to Kinkos as opposed to Dr. Kinko (the physician you intended to refer your patient to), you have a breach event.

Simply put, records must be seen only by those authorized to see them, and Covered Entities (CE) and Business Associates (BA) in possession of the records hold the responsibility to ensure no breaches take place.

“But what if my PHI is encrypted?” you ask. If the PHI is encrypted when the breach took place, you are probably covered.  The unauthorized use or disclosure of PHI is presumed to be a breach, unless there is a low probability that the information was compromised.

So when the PHI ends up in the wrong hands, but all they see is 0s and 1s due to your encryption, you may be protected. If you realize an email went to joesmith@mail.org as opposed to josmith@mail.org, but the email was sent with encryption, you are probably ok not reporting a breach.

However, a breach notification is necessary in all situations except those in which the CE demonstrates through a risk assessment that there is a low probability that the PHI has been compromised. We will discuss what a “risk assessment” is in the next blog.

But today’s blog is addressing a breach.  So, assuming a reportable breach took place, now what?  Once a CE or BA is made aware of a possible breach, they must report the breach to the Department of Health & Human Services.

The report must be made without “unreasonable delay”.  While it is not 100% certain what constitutes an “unreasonable delay”, 60 days appears to be the outer limit for reporting, and waiting until the 60th day could be unreasonable as well.

Some state laws provide stricter reporting rules such as California’s mandate that you have 5 days to report a breach.   We will discuss the notice details in a later blog

And now the “So what?”  Here are the federal breach penalties.  But please take note that some states allow separate penalties.  Additionally, some states allow private causes of action against the CE by the harmed patients.  So these charts present only the tip of the iceberg in some cases.

Looking through the charts it is easy to see the risks you’re taking by not making sure your office is HIPAA compliant. In 2016, the Office for Civil Rights (OCR) collected over $20 million in fines, and in 2017 they have already disclosed over $17 million in fines collected.

Finally, don’t think that just because you are only an employee for a company, that you are immune from these fines and prison sentences. If an executive is aware of a violation, delegating the responsibility to someone else (the company’s “Security Officer”, perhaps) DOES NOT protect the executive from a personal penalty.

So now that you know what the ramifications are for a HIPAA breach, it is crucial that you take the necessary steps to ensure you don’t end up as one of OCR’s statistics.

Take the painful (but important) measures to be compliant now to save yourself a lot of stress, heartache, and money in the future. Otherwise the question you’ll be asking isn’t “so what?” but rather “does anyone know a good attorney?”