June 17, 2011 in the Journal of Frank Farm

Friday, June 17, 2011

Weight training: door pull ups. Breakfast: one fresh, sliced, organic red delicious apple. Rode my bike to work. More CP downtime followup. Learner design session volunteer recruitment followup. Met with Lucia about secure data storage. Followup with Rodney and Cindy about residents' order entry training. Supp app project work in Drupal. Followup with David R and Doug C about encryption, microfiche, and paper records with respect to things like FERPA and HIPAA. The question I asked was: do student records microfiche that are stored in locked cabinets in locked rooms need to be converted to digital and stored in an encrypted manner? What about the same but for paper files? The answer I received was that neither paper nor microfiche need to be converted to digital and encrypted and that neither paper nor microfiche can be encrypted (without converting to digital) and so no encryption is possible or necessary. Also, this made me realize that microfiche is photographic and not digital—something that is not obvious to people who are unfamiliar with microfiche, especially younger people. I find it interesting, however, that under certain circumstances the emphasis on the requirement for encryption for digital data can unwittingly cause people to give less attention to the liability of data that happens to not be digital. Let's create a number of scenarios. In scenario A, in a locked room you store (a) 1 cdrom with 50 encrypted student records and (b) a few sheets of microfiche with 50 other student records. The microfiche might take up about the same space and weight as the cdrom, but it is not encrypted. If a data thief breaks into this room and takes everything, he or she might never be able to access the data on the cdrom, but the microfiche is very easily accessed. In scenario A, the amount of data on the cdrom is equal to that on the microfiche, but the cdrom is much more secure. Scenario B is the same as scenario A except that the cdrom has only 5 encrypted student records and the microfiche has 95. Scenario C is the same as scenario A except the cdrom is not encrypted. Scenario D is the same as scenario B except the cdrom is not encrypted. Let's say that in each scenario the data thief takes everything. So in our 4 scenarios we have 2 kinds of media (cdrom and microfiche), 2 sets of how the data is distributed (50-50 and 5-95), and for the cdrom whether the data is or isn't encrypted. From the amount of attention given in recent years to encrypting digital data, you might think that the unencrypted cdrom poses the greatest loss. However, among these 4 scenarios, the greatest loss comes from the microfiche (scenarios B and D). Yes, digital technology can store more than other forms of media in the same space, but just because it can doesn't mean that you are. So now imagine an office where 99% of the data that must be protected is stored in microfiche and on paper. Current University policy and state and federal laws say that this microfiche and paper must only be locked and that digital data must be encrypted. This office might spend several thousand dollars to encrypt all the computers and all storage media to protect only 1% of the entire liability. This is the law and the policy and so it must be followed, but is this a wise use of money? I'm not so sure. Would it have been better to spend several thousand dollars on improving physical security for the doors or windows to this office? Or would it have been better to spend this money to switch from Windows to Mac or Linux which have significantly fewer problems with computer viruses and malware? Or, in addition to encrypting all the digital data, should paper and microfiche necessarily be converted to encrypted digital form to provide a significantly more secure layer? I don't have the answers to these questions, but in getting answers to the questions I had asked David R and Doug C it became even clearer to me that a commitment to privacy is not simply about following HIPAA and FERPA and University policy to the letter. It requires more than that—an understanding of the amount of risk regardless of how data is stored in addition to whether it is digital and whether digital data is encrypted. Lunch at Lime Tree: shrimp with noodles, hot chai. Answered a question for Lisa about the OSACA calendar in Outlook, taught her how to forward a calendar item to a different calendar in order to move it or copy it to the desired calendar. Linkchecking, Flickr work, kiosk work. Followup with Cindy about iPad purchasing. Gave James and Daliah lots of info for setting up supp app testing. Created a summary document for the supp app project and stored it in the supp app network folder. Worked very late creating content for Michael W's summary report. Reported 2 problems with the BTS website to Maria F and Lisa C. On my way out I encountered and met Dennis from the Netherlands who was not riding his bicycle this evening. Dinner at home: bean burritos with the usual toppings, 12 ounces of generic V8. Weight training: door pull ups. Edited and uploaded photos to Flickr.