Staying Out of Jail
Data Encryption: It's Not So Hard
Issue: 13.6 (November/December 2015)
Author: Mark Strickland
Author Bio: Mark Strickland has been a fan of many dialects of BASIC since it was on the Radio Shack TRS-80 and Digital Equipment PDP-11 mini computers. Over the years he has spent time in a variety of companies including a manufacturer of credit card imprinters and another that built 6,000 water heaters per day. More recently he has worked in a University Medical School setting using his MacGyver-like Information Technology and Ethical Hacker skills to solve problems, almost always with Xojo. In his small software company (SimplyBASICsoftware.com), he has been using Xojo to build things like a Web-based home health care package that keeps caregivers on task with text messaging. Usually his MacGyver skills don't make things blow up, but occasionally users might disagree.
Article Description: No description available.
Article Length (in bytes): 15,156
Starting Page Number: 28
Article Number: 13604
13604project.zip Updated: 2015-11-03 14:44:24
Related Link(s): None
Excerpt of article text...
What would cause you to go to jail if you did not store a ZIP Code in the correct format in your database?
Well, according to U.S. laws—HITECH Act and HIPAA—if you don't keep ZIP Codes and 17 other pieces of data that are part of what is called Personal Health Information (PHI) encrypted, you could go to jail. Before 2009 the penalties were generally monetary, but various amendments to the HITECH Act could actually send connected individuals to jail if data is mishandled. So if you use a ZIP Code as part of the patient identification in a system that stores medical data and it is not encrypted... we will mail you a hacksaw.
U.S. laws may not affect our non-USA readers, but I am sure the principles still apply to any sensitive data that needs to be encrypted.
Interestingly enough, you don't have to encrypt the actual medical data (blood pressure, lab results, etc.), but just the identifiers that could connect that data to an individual. For instance, you can store the first three digits of the ZIP Code un-encrypted, but not the whole five. Some of the other rules are also a bit quirky, but the ultimate goal is to not connect the person to any medical data.
With all of the hacking going on in the world, I would suggest that if you have sensitive data of any kind, not just medical, you should consider encryption. Other rules exist for financial data (PCI). Several recent projects have given me the opportunity to look at encryption and I have implemented at least two different approaches.
...End of Excerpt. Please purchase the magazine to read the full article.