HIPA and Network Configs

[Gary Nichols]

On Saturday, January 4, 2003, at 03:13  PM, der.hans wrote:
>
> How does the m$ "we can access your computers anytime we want" license 
> stack
> up against the HIPAA regs? I certainly hope they strictly forbid such 
> 3rd
> party access!

That's a hornet's nest I don't even want to touch. ;-)
The baseline is that you have to prevent any ->unauthorized <- access 
to your systems.
For example, if you have a contract with IBM that grants them access to 
dial-in via SecureID to work on your machines, then that's fine - it's 
authorized - however you also have to have a 3rd party agreement with 
them stating such and assigning responsibilities, damages, etc.  This 
is a topic all in itself.  *blah*

>
> Does it approve transmission accross 3rd party networks?
>

Yes - I assume you mean a private point-to-point private network 
connection.  Provided of course that you can prove that you have 
adequate safeguards in place on both ends.  On such a connection, 
encryption is not required.
>
> And if the wireless is tunneled using the approved encryption standard?

It's not so much that it's encrypted over the spectrum, it's that the 
spectrum isn't approved.  At least that's the problem I'm having.

> Is it a decent encryption standard?

Depends on your interpretation of 'decent'.

Even more interesting is that ANY phi that leaves your network over a 
public network has to be encrypted - that includes web., ftp, telnet, 
smtp... etc.  This is forcing a lot of companies to have a "hello 
Jesus" with security finally.  The industry is moving towards https, 
sftp, ssh and pki-based solutions.

Again, this is a good thing - I just hope that they enforce it.