HIPA and Network Configs

[George Toft]

Tony Wasson wrote:
[snip]
> HIPAA regulation make several references to the word 'reasonable' and the
> need to 'secure protected health information.' These are rules that go into
> affect April 14, 2003. Only a marketing person could say using WEP qualifies
> as 'reasonable' efforts to secure information. ;-)

Good one!

<rant>
Why would any company risk getting the living snot fined out of them by
the Government for non-compliance?  

Going back to the original question, what is the problem with running a
cable?  Spending a few thousand $$$ on something that is accepted is
better than a few 10's or 100's $$$ fine, or having to send out the
"we're dumbasses because we lost your PHI/PIMI" letter that I got from
my healthcare insurer.  My company would be cleaning house after an
event like that.

Is it worth it?
</rant>

What's wrong with taking reasonable precautions, like running cable
between the labs using a pressurized/alarmed conduit?  It (reasonably)
can't be intercepted without setting off the alarm, which demonstrates
due care.  If they are across a street, use fibre, which is a real
challenge to tap into (unreasonable effort involved).  Again - due care.

Cool quote: "First taking action recommended by experts is responsible,
a best practice, evidence of due-care, and is always preferable to
choosing ad-hoc action as your first alternative." Acute 
Risk Management: A Strategy for Security Enhancement By Greg Frascadore
(gaf@isubr.com)

The correct course of action is a simple business decision, and Business
needs to know the facts and the consequences of their actions.  Better
to spend a buck now than give two bucks to Uncle Sam and have to spend
the dollar anyway.

George