“We will be reviewing our existing body of cryptographic work, looking at both our documented process and the specific procedures used to develop each of these standards and guidelines,” said Donna Dodson, chief of NIST's computer security division, in a news release. “If any current guidance does not meet the high standards set out in this process, we will address these issues as quickly as possible.”
Even if the NSA has access to health records, they are “secure to the average person,” said Michael “Mac” McMillan, an Austin, Texas-based healthcare data security expert and a former Marine Corps intelligence officer. “I guarantee that back door is not available to the general public.”
In September, though, NIST worked to shore up its reputation by announcing it would reopen public review of three of its standards. NIST also warned cryptographers it “strongly recommends” (PDF) a component of one of those three standards—the Dual Elliptic Curve Deterministic Random Bit Generation algorithm—“no longer be used.” A list of companies that have implemented that standard reads like a Who's Who of tech.
NIST, a Gaithersburg, Md.-based arm of the Commerce Department, said in the statement it “would not deliberately weaken a cryptographic standard.” But NIST added Friday it was still “deeply concerned by these reports” that the NSA had compromised it—reports that NIST has not explicitly denied.
“We have a piece of regulation out there that tells everybody that if you encrypt your data and if you use one of these algorithms, you meet the standard for a safe harbor,” McMillan said. “Now we have notice that it may not be secure.”
Asked for comment on NIST's response, Rachel Seeger, spokeswoman for the Office for Civil Rights at HHS, said, “OCR will continue to work with NIST on strong encryption standards to recommend to the industry as a method for meeting safe harbor on the breach notification rule.” The OCR is charged with enforcing federal health information privacy and security rules under HIPAA.
Follow Joseph Conn on Twitter: @MHJConn