The rant in this post may not apply to all states and/or countries with accessibility services, so check your local policies.
If you are blind like I am, or you have a disability, your state likely has accessibility services that provide some relief to you. This may include purchasing assistive technology, providing Orientation and Mobility (O&M) support, or vocational training.
However, this post isn't to discuss how good or bad these services are in themselves. Rather, it's to discuss the poor security practices common among them. In fact, these issues apply to many medical and social services, even if accessibility services are the primary focus here.
If you're not familiar with these organizations, in Colorado, it's DVR (Division of Vocational Rehabilitation). In Texas, it's Texas Workforce Solutions-Vocational Rehabilitation Services (TWS-VRS), which operates under the Texas Workforce Commission. I won't reveal the specific state organization I am working with to maintain my privacy, but it is within the United States.
To put it bluntly: sensitive records, like your Social Security Number (SSN), are frequently transmitted over the Public Switched Telephone Network (PSTN) and plaintext email without a second thought.
The moment you call to check on a case, they often immediately ask for your SSN to verify your identity. If you don't have it, they might pivot to your name and date of birth, but the intake process is where it gets worse. Many agencies ask you to fill out PDF forms and email them back as plaintext attachments. These forms require your SSN, physical address, and detailed medical conditions. Sending this data over unencrypted email or discussing it on a standard phone line is a massive security risk.
Not as much as you'd hope.
For context, HIPAA (the Health Insurance Portability and Accountability Act) provides protections for your healthcare records. However, while it requires that information only be shared with authorized people, it is surprisingly flexible regarding how it is sent.
The HIPAA Security Rule (45 CFR § 164.312(e)(1)) actually lists "Encryption" as an "Addressable" implementation specification rather than a "Required" one. This means that if an agency decides encryption is not "reasonable and appropriate" for their workflow, they can choose not to use it, provided they document why and (ideally) use an alternative. In practice, this often means your sensitive data is sent over the PSTN or via TLS-only email (which only protects the data while in transit between mail servers, not from the service providers themselves or at rest on insecure endpoints).
If someone wanted to target you, they could intercept these transmissions via SS7 vulnerabilities in the phone network or by compromising email packets. Accessibility services, which handle both medical history and the keys to your identity (your SSN), should be held to a much higher standard of mandatory end-to-end encryption.
We have made some progress, but cross-carrier end-to-end encryption for voice is almost non-existent. If you are on Google Fi and call another Android user also on Google Fi, the call may be encrypted end-to-end if both devices support it (see Google Fi's post). However, this does not apply to iPhone users or when calling a standard office PBX or a VoIP landline.
While carriers encrypt the link between your phone and the cell tower to prevent local eavesdropping, it won't stop an attacker with access to the core network, a compromised PBX server, or someone using the SS7 protocol to tap the line.
We need a transition toward mandatory cross-carrier encryption for phone calls and secure, encrypted portals for document submission. Relying on the legacy PSTN and plaintext email for transmitting Social Security Numbers is a relic of the past that puts disabled citizens at risk.
For questions, comments, or concerns, please contact averlicetech@proton.me.