Author: Gary Nichols Date: Subject: HIPA and Network Configs
On Mon, 6 Jan 2003, Tony Wasson wrote: > For secure wireless access, you can use a VPN or you can use the new
> 802.11i.
Very sweet solution - I've had two demonstrations from Cisco on 802.11i
gear and it's very nifty.
> (Disclaimer: I receive money from Cisco for consulting.)
Nothing wrong with that! > Please note that it is an interim fix until we all get to 802.11i,
> and I would treat it as an interim technology only.
>
Solid advice.
> HIPAA regulation make several references to the word 'reasonable' and the
> need to 'secure protected health information.' These are rules that go into
> affect April 14, 2003. Only a marketing person could say using WEP qualifies
> as 'reasonable' efforts to secure information. ;-)
>
Love it! Yes - reasonable is the key word for both privacy and proposed
security rules. I have to emphasize this practically every meeting I
attend.
> The proposed security rule (which won't go into effect for at least 2 years)
> requires encryption to be used on 'open networks'. This would logically
> include wireless networks. There is NO verbage in HIPAA I've seen forbidding
> 802.11a/b/g networks.
While true, if you do work for the government (like processing claims)
they will beat you with a club if they see 802.11 anything in use. To
save them the trouble, I annouce that we have a no-wireless policy early
on in every audit.
>The regulations do not state what specific
> technologies to use for encryption (thankfully!). However, any company that
> is doing a real compliance process should document why they made their
> choices and how they are securing them.
YES! Oh how I wish everyone grokked this as you do. Documentation and
accountability are overlooked way too often.
(text/plain)