We recently fielded a call by a prospective customer looking at our HIPAA compliant email service. One of their primary needs was the ability send secure, HIPAA compliant PDF attachments via email. Their IT consultant had advised them that using unencrypted email was sufficient, so long as the PDF document was password-protected. As you can imagine, we pushed back on their consultant's advice. The prospect then engaged their HIPAA attorney to get guidance on the issue.
This post is aimed at saving others the time and expense of resolving the issue of HIPAA compliance for password-protected PDF documents.
HIPAA Fines for Password Protected Hard Drives
On the topic of using passwords, but not encryption, the guidance from the U.S. Department of Health and Human Services ( HHS) is clear when it comes to hard drives. If you are a Covered Entity (CE) and your computer or laptop is stolen ( even from your own office), you will face HIPAA fines if your hard drives are not encrypted. This is true even if the computer is password-protected. Let's look at some examples. Earlier this year, we wrote about how North Memorial Health Care of Minnesota agreed to pay $1.55M in HIPAA fines. As per the press release by HHS: "OCR initiated its investigation of North Memorial following receipt of a breach report on September 27, 2011, which indicated that an unencrypted, password-protected laptop was stolen from a business associate’s workforce member’s locked vehicle, impacting the electronic protected health information (ePHI) of 9,497 individuals." Unfortunately for North Memorial Health, it was a costly mistake to assume a password-protected laptop sufficiently met HIPAA compliance standards. Another example would be when we covered the $2.75M HIPAA fine the University of Mississippi Medical Center (UMMC) agreed to pay. HHS again cited in their press release that merely using passwords, but not encryption, is a HIPAA violation: "OCR was notified of a breach after UMMC’s privacy officer discovered that a password-protected laptop was missing from UMMC’s Medical Intensive Care Unit (MICU)." "... OCR’s investigation revealed that ePHI stored on a UMMC network drive was vulnerable to unauthorized access via UMMC’s wireless network because users could access an active directory containing 67,000 files after entering a generic username and password. " In the case of UMMC, we see that a generic username and password was considered a violation of HIPAA security. As far as we know, PDF password generators like Adobe Acrobat do not enforce complexity or length requirements. Password complexity and password length are key components of the HIPAA Security Rule.
Breaking Password-Protected PDF Documents
A cursory search on google reveals an abundance of tools to break password-protected PDF documents. As you're probably aware, some are legitimate vendors, some are not. Examples of this would be tools from vendors such as VeryPDF.com and Elcomsoft Co. Ltd. We do not have a relationship with either company and do not endorse their products one way or another. They are merely examples of password removal tools for PDF documents. The takeaway here is that it can be very easy to open a password-protected PDF document without having access to the password itself.
People Hate Password-Protected PDFsLet's face it, the winners of tomorrow are those that remove friction from business processes and workflows. It's a primary reason why we started Paubox and it is an obvious truth in the 21st century. The same is true for end users that receive password-protected PDF attachments. Let's take a look at the big usability problems around password-protected PDFs:
- Not Indexed. In other words, you can't search for keywords and text within a password-protected PDF.
- Hard to share. If you want to share a password-protected PDF, you also have to share the password. As you can imagine, that password will most likely be sent in the body of the email message. This brings us back to the IT consultant's advice we mentioned at the beginning of this post.
- Too many passwords! Imagine receiving 5 password-protected PDFs over the course of several months. Which password opens which PDF? It's a huge hassle, just like dealing with remembering passwords for a variety of email portals!
Conclusion: Is My Password-Protected PDF Document HIPAA Compliant?
As we've demonstrated in this post, password-protected PDF documents are not a sign of HIPAA compliance. First, we see that HHS has already set precedence that using passwords, but not encryption, is a HIPAA fine in waiting. Second, we see that unlocking a password-protected PDF document without access to the password itself is trivial. Lastly, we see that people hate using, sharing, and remembering passwords for PDF documents in the first place.