HIPA and Network Configs

On Saturday, January 4, 2003, at 03:13 PM, der.hans wrote:
>
> How does the m$ "we can access your computers anytime we want" license
> stack
> up against the HIPAA regs? I certainly hope they strictly forbid such
> 3rd
> party access!

That's a hornet's nest I don't even want to touch. ;-)
The baseline is that you have to prevent any ->unauthorized <- access
to your systems.
For example, if you have a contract with IBM that grants them access to
dial-in via SecureID to work on your machines, then that's fine - it's
authorized - however you also have to have a 3rd party agreement with
them stating such and assigning responsibilities, damages, etc. This
is a topic all in itself. *blah*

>
> Does it approve transmission accross 3rd party networks?
>

Yes - I assume you mean a private point-to-point private network
connection. Provided of course that you can prove that you have
adequate safeguards in place on both ends. On such a connection,
encryption is not required.
>
> And if the wireless is tunneled using the approved encryption standard?

It's not so much that it's encrypted over the spectrum, it's that the
spectrum isn't approved. At least that's the problem I'm having.

> Is it a decent encryption standard?

Depends on your interpretation of 'decent'.

Even more interesting is that ANY phi that leaves your network over a
public network has to be encrypted - that includes web., ftp, telnet,
smtp... etc. This is forcing a lot of companies to have a "hello
Jesus" with security finally. The industry is moving towards https,
sftp, ssh and pki-based solutions.

Again, this is a good thing - I just hope that they enforce it.