My $0.02 Not exactly sure when it starts, but I believe that MS Office "encryption" switched from what was called "kindergarten cryptography" to RC4 in the 2000 version or perhaps a late service pack for '97 versions.
RC4 uses a variable-length key strength, but enforces no requirements on the shared secret (password). Office sets the key strength at 128 bits and is essentially identical to the encryption used by 128 bit SSL. (SSL has overhead that involves PKI techiques to exchange keys, but once that is accomplished, the encryption is basically the same.) I have software that will brute-force a 7 character mixed case alphanumeric password in around 24 hours. 8 characters may take several weeks, and 9 characters may take years. If, however, your shared secret is based on a dictionary word, your document will probably be mine in minutes. The obvious implication is that the shared secret must be difficult to guess by any means. Thus, it should be a mixed case, alphanumeric, non-dictionary word, and sufficiently long so as to put it's brute-forceability into the timespan of eons, as opposed to days or minutes. I believe that the maximium secret key lenghth allowed by MS-Word is 15 characters and would recommend using a keygen program set to that length. So... Word encryption meets standards, but you have to be careful to use a suitable password. Also... Due to the ease of use of encryption, I don't believe that there should be any variance between what is prudent for both the small and the large PHI handlers. Jeff Gray IT Manager, Proservices Health Information Technologies NOTE: I'm not placing my life on the veracity of these statements, nor am I making any kind of guarantee that I'm not full of hot air. I am pretty sure that I'm substantially close to correct on most of it, however. -----Original Message----- From: Scott [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 5:17 PM To: WEDI SNIP Security Workgroup List Cc: 'Terry Swenor' Subject: Re: PHI and emails I suspected that reading a password-protected .doc would not be as easy as opening it in Notepad so I tested it with a protected .doc I happened to have on my hard drive. I scanned the entire content and found that it was not readable; it appears encrypted, with none of the contents discernable whatsoever. When opening a non-password-protected .doc through Notepad, however, I was able to read the contents so I believe Word encrypts the contents when protected. The example I used was a .doc created in WordXP, attempting to read through Notepad/Windows 2000 but I would expect the same results from all modern versions. As obtainable as "cracking" software may be, it would certainly be a decent, though entirely possible, effort to acquire and use the software to acquire access to someone's PHI. I think a practice must make a decision whether it is taking sufficient precautions to protect the PHI in its custody--and this decision may vary based on the size of the practice, as referred to as the "small practice" solution. What may be prudent care of PHI for a small medical practice may *not* be for a hospital or payer. As such (IMHO), "protecting" PHI with Word password protection would be woefully inadequate for a large practice/hospital/payer but *might* be reasonable for a rural/small practice. Scott Bernay Business Analyst, Keane Inc [EMAIL PROTECTED] ----- Original Message ----- From: "Michael S. White" <[EMAIL PROTECTED]> To: "WEDI SNIP Security Workgroup List" <[EMAIL PROTECTED]> Cc: "'Terry Swenor'" <[EMAIL PROTECTED]> Sent: Tuesday, November 04, 2003 3:26 PM Subject: RE: PHI and emails Hello Terry: Take into consideration that a password protected Word document can be opened in Notepad without knowing the password displaying the content of the Word document (along with other information). Try it yourself and you'll see what I mean. Additionally, there are a number of programs freely available online that will break and/or disclose the password. Personally, I don't feel password protecting Word documents protects the information contained therein - PHI or otherwise. _____ Michael S. White Information Systems Specialist [EMAIL PROTECTED] >I'm soliciting opinions regarding attaching a password protected Word document to an email as a way of protecting PHI. Of course the >password would be sent in a different email. Comments? --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-security as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-security as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-security as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
