Oct 11, 2010

Encryption Of CDs

I have reproduced below the contents of a letter that I received recently from Social Security. I am not sure whether this has been distributed nationally. I used Adobe Acrobat's optical character recognition (OCR) on this. I hope I have straightened out all the misreads.
Dear Colleague:

We are writing to tell you about an important change that furthers our commitment to protect our claimants' personal information.

In October, we will begin a pilot program to encrypt the claim folder CDs sent to you by the Social Security Administrations' Office of Disability Adjudication and Review. We expect to expand the pilot rapidly, so that by the end of 20 10, we will be encrypting all CDs sent to appointed representatives and medical/vocational experts. We developed the decryption password formula in collaboration with members of the appointed representative community. The encrypted CDs are easy to use and provide a major and necessary improvement in safeguarding the personally identifiable information in our possession. We huve enclosed a guide that describes the process.

We appreciate your ongoing support to help strengthen the security and privacy of our claimant's

Jim Borland
Associated Commissioner
Office of Electronic Services and Strategic Information

Jim Bentley
Associate Commissioner Acting Associate Commissioner
Office of Electronic Services and Office of Budget, Facilities and Security

Opening an Encrypted CD

No additional software is necessary to read the information on the encrypted CD. The following instructions will allow proper viewing of the contents of the CD.

1. Insert the Electronic Folder CD into your PC's CDROM drive.
2. Double click on "My Computer"; next double-click on your PC's CDROM drive to display the contents of the CD.
3. Double-click on the pme.exe file located on the CD.
4. Enter the Account Name and Password; click OK.

Account Name: ssa
All ODAR encrypted media will use the same Account Name, "ssa". The Account Name field is not case sensitive.
a. Use the following criteria to determine the encryption password. If you are unable to determine the correct password for your encrypted CD, call the local ODAR office that sent you the CD for assistance. NOTE: The password will always be nine characters long.

Representatives and Claimants Password Criteria:
  • First 4 letters of claimant's first name in lower case (if the name is less than four characters, use "#"s after the last alpha)
  • A number sign (#)
  • Last 4 numbers of the claimant's SSN

The CD will be labeled as follows:
  • Claimant's full last name
  • Claimant's first 4 numbers of the SSN

Claimant's name is Mickey Mays and SSN is 123-45-6789. The encryption password is mick#6789. Label on the CD is "Mays 1234".
Claimant's name is Tom Mays and SSN is 123-45-6789. The encryption password is tom##6789. Label on the CD is "Mays 1234".

Experts (medical and vocational) Password Criteria:
  • First 4 of the expert's last name (lowercase). If the name is less than four characters, use "#"s after the last alpha.
  • A number sign (#)
  • First 4 numbers of the experts BPA

The CD will be labeled as follows:
  • Experts full first name.
  • Date of the hearing or "interrogatory".
Experts name is Sam Jones and the BPA number is 1234. The encryption password is jone#1234. Label on the CD is "Sam 080910" (date ofhearing is 8/9/10) or "Sam interrogatory",

5. To decrypt the contents of the CD, highlight the words "[Encrypted Device]" and click on the Extract button.
6. The Browse For Folder window will appear. The first time you decrypt a CD, highlight the drive where you want to save the file and click on [Make New Folder] button. NOTE: If a folder already exists, navigate to that location to download the file.
7. Change the folder name then highlight the new folder and click on the OK button.
8. Go to the folder created, or the location you extracted the files. Double-click on the index.html file
9. Close the Pointsec encryption window by clicking on the "x" in the upper right hand corner of the screen or by selecting File/Exit from the menu.
10. A deletion window will appear if files were extracted to your computer.
11. If you extracted files to your hard drive or server and DO NOT want the files deleted from your computer, select "No". By selecting "Cancel", you will return to the Pointsec encryption window.

1.0 Frequently Asked Questions

What happens if the account name and/or password entry is incorrect?
If incorrect information is entered in the Account name and/or Password fields, you will receive a Pointsec Media Encryption box, pop-up message say that says, "Your password or account name is wrong. Please try again."

Click the OK button on the screen to reenter the correct Account name and Password. If you continue to get this message, please contact the local ODAR office that sent you the CD.

What happens if the files are copied or viewed beforethey are un-encrypted?
If the files are copied or view straight from the CD without running the decryption process, they will be unreadable.

Once the contents ofthe folder is decrypted, can I simply view the files without copying or extracting them to my computer?
Yes, you can view the files individually from the Pointsec Media Encryption window without using the index.html to navigate to them. You will have to select each separate document in the "docs" folder. If you open the index.html from the Pointsec window, it may not display correctly.

To view the actual tiff images you will need to navigate to the "docs" folder and select the desired


Anonymous said...

As an ME, I have been using this encryption system on cases from various California ODAR offices since March, 2010. The "transition" was without warning...discs simply arrived, and my follow-up calls yielded an instruction sheet. It has been very difficult for me, as I am an Apple computer user, and this encryption system is based solely on Windows. (I had just purchased a new Apple, with dual operating systems in January!) There was some ODAR acknowledgment that the encryption system was out of date, even before it was implemented...it used Windows XP, which was no longer even on the market. It was to be updated to Vista (also out-dated) in mid-summer, with no time-line for updating to the current Windows version. Tech support from the ODAR offices amounted to comments that I should just buy another computer!

A local computer shop helped me, by finding a copy of Windows XP, but the 'work-around' is terrible. There is no way to use scroll functions within Exhibit documents, nor is there a way to get thumbnails. Each page has to be 'clicked through' to the last page in the exhibit, where the chronology usually begins. That is terribly laborious, and a waste of time. "Sizing" documents to make them readable also requires many more steps. Bottom line is that a file takes me at least twice as long to read.

I don't believe this is solely a problem related to using an Apple computer, as the hearing room computers I have been using have the same issues. In my opinion, SSA has invested in a system that was flawed even before roll-out, and I can see nothing has been done to correct the problems.

p.s. If anyone has other work-around ideas for me, I'd love to hear them.

Anonymous said...

I heard about this nonsense at NOSSCR, and when I received the letter that Charles received I knew I was right, and that this would be a complete disaster. After reading the comment by the CA ME above, I am confident that this encryption system, while noble at heart, is another example of SSA taking a good idea and smashing it with a ball-peen hammer. I sure am glad I have online access through Electronic Record Express so I don't have to waste time with these encrypted discs.

Anonymous said...

I commented on CONNECT message board that I, too, use a Mac at home, and do not want to have to buy a copy of Windows to install just to use these discs on my home computer. To the ME above, you may have bought an Apple computer with both operating systems included, but you paid extra to have the Windows OS installed. They don't ordinarily come with the two OSs installed. I would have to purchase and install Windows in order to do this.

And is it true that the encryption method is not compatible with Windows 7? If so, the ODAR tech support's "solution" to buy another computer is off-base, because no new computers are being shipped with Vista or with XP; they are all now Windows 7. So now that means that at my office I can't even sit at my own desktop computer, but will have to go find someone who will let me use their older computer with XP on it to look at these discs?

Tell me that, at least, if I can open the documents on one of these, I can convert it all to PDF?

What a crock.

Anonymous said...

ME responding about the Apple problems...
My new Apple came with the usual Apple OS. Then I bought Parallels software (so I could use the Windows environment), plus Windows 7...several hundred $ extra for this. The encryption software would not work with 7...that's when the contact began with ODAR tech people. They were the folks who told me they knew 7 wouldn't work, that it was set up on XP, to later transition to Vista.
I have never been able to convert to pdf...

Anonymous said...

It's really amazing to me that everyone wants to protect a person's(Claimant's) privacy.--If that's so why haven't any of the 20 or so envelopes I received from SS via the USPS been sealed,taped or licked shut-- they are always wide open---anyone who handles my mail can read everything about me-- sometimes I don't even get all of the pages of a decision.

Anonymous said...

It's so pleasing to see that the "professionals" working on cases apparently put their convenience ahead of protecting the privacy of the claimants. Whine, whine whine. Waahh, I use Apple. Grow up. If this is your attitude towards patient privacy, I certainly hope you aren't covered by HIPAA in your primary business because you are a fine waiting to happen.

Those CDs should have been encrypted 3 years ago, that's what the problem is and folks getting the CDs just need to either deal or move on. The world has changed whether you like it or not. 46 states have breach laws, HIPAA, HITECH apply to many and OMB directs federal agencies so get with the program.

The fact people are complaining about something so fundamental exposes a likely lax attitude towards other aspects of privacy protection.

Too bad SSA hasn't the staff to audit you folks.

Anonymous said...

Anonymous ME:

Yes you are right about what is needed to run Windows on a Mac. Now, it's a wonderful thing, that Macs will run dual operating systems, but it does cost more, and it's no excuse for SSA to not make their records available to all.

What about claimants? Are their files not encrypted? If not, then why is there not a concern about their privacy? Seems that as a representative, I will do a better job to maintain my client's privacy even without encryption - after all, I have an additional incentive to do so because of Bar rules governing my behavior toward clients.

The letter states "No additional software is necessary to read the information on the encrypted CD." Well, we've shown that this is not true. And hearing that these CDs are only readable on Windows XP, and that the next upgrade will be to Vista makes me question the comptetency of their IT department.

Dr. ME, with regard to converting to PDF: on a Windows machine, you need either the full Adobe Acrobat program, or a shareware add-on to convert documents to PDF. If you're new to Mac, you may not know that the ability to convert any document into PDF is built-in to the Mac's Print function. In the Print dialogue box, you'll see a PDF button on the far left of the bottom row. You can save as PDF, fax, email, etc. A real handy feature.

Mr. Hall, is there something we can do to head this off?

kostastina Fotiou said...

You purchase a mac because you prefer a mac over windows, to install window defeat the purpose, ssa
needs to accommodate both side here not just windows

kostastina Fotiou said...

You purchase a mac because you prefer a mac over windows, to install window defeat the purpose, ssa
needs to accommodate both side here not just windows

Jessica Murphy said...

I have windows 7 does anyone know how I can read what is on the disc?

Anonymous said...

my cd's will not open now they say " usage limit for account has been reached" ?
Are you serious. . They are only allowing me to look at my own files 3 times?
So the government is trying to protect me from myself?
This is stupid!