HIPA and Network Configs

[Gary Nichols]

On Mon, 6 Jan 2003, Tony Wasson wrote:
> For secure wireless access, you can use a VPN or you can use the new
> 802.11i.

Very sweet solution - I've had two demonstrations from Cisco on 802.11i 
gear and it's very nifty.

> (Disclaimer: I receive money from Cisco for consulting.)

Nothing wrong with that!
> Please note that it is an interim fix until we all get to 802.11i,
> and I would treat it as an interim technology only.
> 

Solid advice.



> HIPAA regulation make several references to the word 'reasonable' and the
> need to 'secure protected health information.' These are rules that go into
> affect April 14, 2003. Only a marketing person could say using WEP qualifies
> as 'reasonable' efforts to secure information. ;-)
> 

Love it!  Yes - reasonable is the key word for both privacy and proposed 
security  rules.  I have to emphasize this practically every meeting I 
attend.

> The proposed security rule (which won't go into effect for at least 2 years)
> requires encryption to be used on 'open networks'.  This would logically
> include wireless networks. There is NO verbage in HIPAA I've seen forbidding
> 802.11a/b/g networks. 

While true, if you do work for the government (like processing claims) 
they will beat you with a club if they see 802.11 anything in use.   To 
save them the trouble, I annouce that we have a no-wireless policy early 
on in every audit.



>The regulations do not state what specific
> technologies to use for encryption (thankfully!). However, any company that
> is doing a real compliance process should document why they made their
> choices and how they are securing them.

YES! Oh how I wish everyone grokked this as you do.  Documentation and 
accountability are overlooked way too often.

Thanks for the post.

Gary