HIPA and Network Configs

Darrell Shandrow plug-discuss@lists.plug.phoenix.az.us
Sat, 4 Jan 2003 15:28:48 -0700 

Hi Gary,

So, then, the wireless network is considered to be a public network.
Couldn't it still be used, then, so long as the traffic is encapsulated and
encrypted?

----- Original Message -----
From: "Gary Nichols" <gary@linuxforce.org>
To: <plug-discuss@lists.plug.phoenix.az.us>
Sent: Saturday, January 04, 2003 2:37 PM
Subject: Re: HIPA and Network Configs


> On Saturday, January 4, 2003, at 12:51  PM, Kevin Brown wrote:
> > The company I now work for is still in the ramp-up phase and will be
> > doing medical research and so there is some concern about how we can
> > setup our network to link the various lab spaces that have been
> > donated to us.
> >
> Only the HIPAA Privacy rule has been finalized, and you have until
> April 14th to comply (unless you've filed for an extension).
> The HIPAA Security rule has not been finalized yet.  We were supposed
> to see something around December 27th, but that was delayed... again.
> I'd recommend you grab a copy of the proposed rule and do some reading.
>
> > The concerns are with allowing 802.11 wireless access to our network
> > and using Wireless bridges to link up some labs that are near each
> > other.  Does anyone have any advice/pointers that could help?
> >
>
> If you are pushing patient records or anything that is considered
> Protected Health Information (check the rule for the definition of
> PHI), wireless is NOT appropriate even with WEP.    You may consider
> doing a VPN across wireless devices, but I guarantee you that any
> auditor worth his salt will still nail you to the wall on it because
> 802.11x is not a government-approved transmission medium for secure
> data.   If you want more details, I can provide them.
>
> The proposed rule requires that any PHI traveling across a public
> network or spectrum be encrypted with the current recommended
> encryption standard.  See the rule for details, too much to mention
> here.
>
> As the ISO for $large_insurance_company, I can tell you that compliance
> with the proposed security rule isn't hard - just requires a lot of
> common sense, money and time.
>
> Good luck.
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change  you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss