NIST To Review Data Encryption Processes Following NSA Allegations
November 1, 2013
The National Institute of Standards and Technology—bedeviled by persistent allegations that its internationally recognized data encryption standards have been compromised by the National Security Agency—announced Friday it will undergo internal and independent formal reviews of its standards development processes for data encryption.
NIST-based encryption is the de facto standard in electronic healthcare data security and exchange. Federal privacy rules, while not mandating NIST-style encryption, give a regulatory pass to organizations that have breached healthcare data if that data is encrypted to NIST standards.
The NIST announcement comes two months after news reports, based on documents leaked by NSA whistleblower Edward Snowden, surfaced that its encryption standards conceal a “back door” enabling the NSA to unscramble encrypted messages.
“We will be reviewing our existing body of cryptographic work, looking at both our documented process and the specific procedures used to develop each of these standards and guidelines,” said Donna Dodson, chief of NIST’s computer security division, in a news release. “If any current guidance does not meet the high standards set out in this process, we will address these issues as quickly as possible.”
Even if the NSA has access to health records, they are “secure to the average person,” said Michael “Mac” McMillan, an Austin, Texas-based healthcare data security expert and a former Marine Corps intelligence officer. “I guarantee that back door is not available to the general public.”
In September, though, NIST worked to shore up its reputation by announcing it would reopen public review of three of its standards. NIST also warned cryptographers it “strongly recommends” (PDF) a component of one of those three standards—the Dual Elliptic Curve Deterministic Random Bit Generation algorithm—“no longer be used.” A list of companies that have implemented that standard reads like a Who’s Who of tech.
NIST, a Gaithersburg, Md.-based arm of the Commerce Department, said in the statement it “would not deliberately weaken a cryptographic standard.” But NIST added Friday it was still “deeply concerned by these reports” that the NSA had compromised it—reports that NIST has not explicitly denied.
“We have a piece of regulation out there that tells everybody that if you encrypt your data and if you use one of these algorithms, you meet the standard for a safe harbor,” McMillan said. “Now we have notice that it may not be secure.”
Asked for comment on NIST’s response, Rachel Seeger, spokeswoman for the Office for Civil Rights at HHS, said, “OCR will continue to work with NIST on strong encryption standards to recommend to the industry as a method for meeting safe harbor on the breach notification rule.” The OCR is charged with enforcing federal health information privacy and security rules under HIPAA.
Article written by Joseph Conn