Oct 12, 2010

Encryption Problems

I had posted earlier about Social Security's plan to encrypt the CDs of client files sent to attorneys and others who represent Social Security claimants. The comments this post received are worrisome enough that I think they are worth bumping up to a full post:
Anonymous said...

As an ME, I have been using this encryption system on cases from various California ODAR offices since March, 2010. The "transition" was without warning...discs simply arrived, and my follow-up calls yielded an instruction sheet. It has been very difficult for me, as I am an Apple computer user, and this encryption system is based solely on Windows. (I had just purchased a new Apple, with dual operating systems in January!) There was some ODAR acknowledgment that the encryption system was out of date, even before it was implemented...it used Windows XP, which was no longer even on the market. It was to be updated to Vista (also out-dated) in mid-summer, with no time-line for updating to the current Windows version. Tech support from the ODAR offices amounted to comments that I should just buy another computer!

A local computer shop helped me, by finding a copy of Windows XP, but the 'work-around' is terrible. There is no way to use scroll functions within Exhibit documents, nor is there a way to get thumbnails. Each page has to be 'clicked through' to the last page in the exhibit, where the chronology usually begins. That is terribly laborious, and a waste of time. "Sizing" documents to make them readable also requires many more steps. Bottom line is that a file takes me at least twice as long to read.

I don't believe this is solely a problem related to using an Apple computer, as the hearing room computers I have been using have the same issues. In my opinion, SSA has invested in a system that was flawed even before roll-out, and I can see nothing has been done to correct the problems.

p.s. If anyone has other work-around ideas for me, I'd love to hear them.

10:02 AM, October 11, 2010

Anonymous Anonymous said...

I heard about this nonsense at NOSSCR, and when I received the letter that Charles received I knew I was right, and that this would be a complete disaster. After reading the comment by the CA ME above, I am confident that this encryption system, while noble at heart, is another example of SSA taking a good idea and smashing it with a ball-peen hammer. I sure am glad I have online access through Electronic Record Express so I don't have to waste time with these encrypted discs.

11:36 AM, October 11, 2010

Anonymous Anonymous said...

I commented on CONNECT message board that I, too, use a Mac at home, and do not want to have to buy a copy of Windows to install just to use these discs on my home computer. To the ME above, you may have bought an Apple computer with both operating systems included, but you paid extra to have the Windows OS installed. They don't ordinarily come with the two OSs installed. I would have to purchase and install Windows in order to do this.

And is it true that the encryption method is not compatible with Windows 7? If so, the ODAR tech support's "solution" to buy another computer is off-base, because no new computers are being shipped with Vista or with XP; they are all now Windows 7. So now that means that at my office I can't even sit at my own desktop computer, but will have to go find someone who will let me use their older computer with XP on it to look at these discs?

Tell me that, at least, if I can open the documents on one of these, I can convert it all to PDF?

What a crock.

12:03 PM, October 11, 2010

Anonymous Anonymous said...

ME responding about the Apple problems...
My new Apple came with the usual Apple OS. Then I bought Parallels software (so I could use the Windows environment), plus Windows 7...several hundred $ extra for this. The encryption software would not work with 7...that's when the contact began with ODAR tech people. They were the folks who told me they knew 7 wouldn't work, that it was set up on XP, to later transition to Vista.
I have never been able to convert to pdf...

2:44 PM, October 11, 2010

Anonymous Anonymous said...

It's really amazing to me that everyone wants to protect a person's(Claimant's) privacy.--If that's so why haven't any of the 20 or so envelopes I received from SS via the USPS been sealed,taped or licked shut-- they are always wide open---anyone who handles my mail can read everything about me-- sometimes I don't even get all of the pages of a decision.

4:58 PM, October 11, 2010

Anonymous Anonymous said...

It's so pleasing to see that the "professionals" working on cases apparently put their convenience ahead of protecting the privacy of the claimants. Whine, whine whine. Waahh, I use Apple. Grow up. If this is your attitude towards patient privacy, I certainly hope you aren't covered by HIPAA in your primary business because you are a fine waiting to happen.

Those CDs should have been encrypted 3 years ago, that's what the problem is and folks getting the CDs just need to either deal or move on. The world has changed whether you like it or not. 46 states have breach laws, HIPAA, HITECH apply to many and OMB directs federal agencies so get with the program.

The fact people are complaining about something so fundamental exposes a likely lax attitude towards other aspects of privacy protection.

Too bad SSA hasn't the staff to audit you folks.

6:09 PM, October 11, 2010

Anonymous Anonymous said...

Anonymous ME:

Yes you are right about what is needed to run Windows on a Mac. Now, it's a wonderful thing, that Macs will run dual operating systems, but it does cost more, and it's no excuse for SSA to not make their records available to all.

What about claimants? Are their files not encrypted? If not, then why is there not a concern about their privacy? Seems that as a representative, I will do a better job to maintain my client's privacy even without encryption - after all, I have an additional incentive to do so because of Bar rules governing my behavior toward clients.

The letter states "No additional software is necessary to read the information on the encrypted CD." Well, we've shown that this is not true. And hearing that these CDs are only readable on Windows XP, and that the next upgrade will be to Vista makes me question the comptetency of their IT department.

Dr. ME, with regard to converting to PDF: on a Windows machine, you need either the full Adobe Acrobat program, or a shareware add-on to convert documents to PDF. If you're new to Mac, you may not know that the ability to convert any document into PDF is built-in to the Mac's Print function. In the Print dialogue box, you'll see a PDF button on the far left of the bottom row. You can save as PDF, fax, email, etc. A real handy feature.

Mr. Hall, is there something we can do to head this off?

What I wonder is whether this encryption even helps secure these files. Doesn't Social Security have to send all the information needed to decrypt the files when it sends the CD to the person representing the claimant? A CD with no identifying information is useless. A CD with full identifying information can be decrypted by anyone. Social Security could send the CDs with just the name or the Social Security number but that is problematic. Unless the attorney is using a database -- and most do not -- sending just the Social Security number would not be enough to allow the attorney to figure out whose CD it is. For that matter, it is not difficult to go online and find out a person's identity using their Social Security number. Sending just the name would not be enough in many cases to allow identification of the claimant. A friend of mine who practices in Texas has told me that he has many clients with identical names such as Jose Rodriguez or Maria Hernandez. I do not have so many Hispanic clients but my firm certainly has clients with duplicate names. It happens all the time.


Anonymous said...

Speaking of privacy. Does social security file all administrative records with the court under seal?

Anonymous said...

Thanks for bringing this back for discussion. I am 'anonymous ME' from yesterday's posts, and I have a few more thoughts.

First, I have had great concern about claimant privacy for years, long before this latest encryption plan. I too receive numerous hearing notices in unsealed envelopes. The notices contain claimant name, address, DOB, and SSN. Further, I worked at DDS for a time, and was shocked by the number of documents that were 'lost', 'misplaced', etc. and would need to be resubmitted.

In the current encryption plan, MEs get a password for the discs. It doesn't change from case to case, and it would be easy to figure out, if someone was inclined. Attorneys and claimants also get passwords, which I believe are easy to figure out.

The problem with the Apple/encryption interface is not about my personal convenience. I am certainly not the only Apple user who engages with SSA in one way or another! Rather, I do not believe that SSA, or any other government agency, should limit public access by virtue of an exclusive computer platform arrangement.

Anonymous said...

Mr. Hall, you are absolutely right about the passwords to read the encrypted CD. The instructions tell us that the criteria for determining the password is the use of the first 4 letters of a claimant's first name, a pound sign, and the last 4 numbers of the claimant's social security number. Once you know that "code" you can read any CD you might get. It will continue to be my duty to ensure that non-authorized persons do not get their hands physically on the CDs, because the criteria will be so easy to determine. Since claimants are entitled to his or her own CD of the electronic file, this criteria will have to be made public, or at least given to the claimant with the CD. It's not going to be secret for long.

And, to the anonymous commenter who criticized me and the other Mac-using commenter as not being concerned with privacy, you're just wrong. It is not just representatives and experts who may have difficulty accessing the files where the SSA has not seen fit to use cross-platform compatibility; claimants have to have the ability to read their own files. To this end, SSA has to allow for the broadest possible access. Or do they want claimants lining up at the ODAR offices asking for paper files because they can't access the CDs given them?

Anonymous said...

Absolutely amazing incompetence in the bureaucracy...I am a former Vocational Rehab Counselor in a state agency where tech changes were well planned.
I am now receiving SSDI...I shudder with these exposures.