The SafeLogic Blog

ONC's "21st Century Cures Act" Misses the Mark on Encryption

March 12, 2019 Walt Paley

ONC's "21st Century Cures Act" Misses the Mark on Encryption

A month ago, ONC shared a draft of the "21st Century Cures Act" in advance of the public comment period. I responded on Twitter with concerns about their peculiar stance on encryption.

Now the public comment portal is open, and I encourage you to add your voice to the conversation!

My comment:

IV. Updates to the 2015 Edition Certification Criteria
B. Revised and New 2015 Edition Criteria
6. Privacy and Security Transparency Attestations Criteria
b. Encrypt Authentication Credentials

Self-attestation to be "capable" of encrypting to FIPS 140-2 cryptographic standards is not enough and not aligned with the intention of NIST's cryptographic benchmarking program. Validation of FIPS 140-2 encryption standards via NIST has evolved and is no longer a prohibitive process. There is no reason that it should not be an explicit requirement, just as it is for every other federal agency. The HITECH Act and other healthcare legislation has consistently referred all cryptographic requirements to NIST, referencing FIPS 140-2 validation. Even in this very proposed rule, it states that "We posit that FIPS Publication 140-2 is the seminal, comprehensive, and most appropriate standard." And yet, the rule pivots to "self-attestation" instead of enforcing the very benchmarking test that FIPS 140-2 itself was written to make explicit.

Self-attestation of "capability" means nothing. The FIPS 140-2 standard says that any encryption not tested and validated to meet the standard is considered to be no better than plaintext. Self-attestation would fall squarely into that bucket.

Again, please weigh in on the "21st Century Cures Act", whether specific to encryption or otherwise. While I'm focused on the contradictory stance they have proposed, to reference but not actually follow FIPS 140-2, it's critically important for all points of view to be represented. The deadline is Friday, May 3, 2019 at 11:59 PM Eastern. I also welcome dialogue on Twitter!

Walt Paley

Walt Paley

Walter Paley is the VP of Communications for SafeLogic. He is responsible for strategy, content, marketing, and outreach. Walt has worked with a series of start-ups and companies in growth stages, including Nukona (acquired by Symantec), Qubole, Bitzer Mobile (acquired by Oracle), and TigerText, among others. An Alumnus of the psychology program at UC San Diego, Walt lives in Southern California with his wife, kids, and their black lab, Echo.

Share This:

Back to posts

Popular Posts

Search for posts


See all