HIPA and Network Configs
George Toft
plug-discuss@lists.plug.phoenix.az.us
Tue, 07 Jan 2003 00:47:18 -0500
Tony Wasson wrote:
[snip]
> HIPAA regulation make several references to the word 'reasonable' and the
> need to 'secure protected health information.' These are rules that go into
> affect April 14, 2003. Only a marketing person could say using WEP qualifies
> as 'reasonable' efforts to secure information. ;-)
Good one!
<rant>
Why would any company risk getting the living snot fined out of them by
the Government for non-compliance?
Going back to the original question, what is the problem with running a
cable? Spending a few thousand $$$ on something that is accepted is
better than a few 10's or 100's $$$ fine, or having to send out the
"we're dumbasses because we lost your PHI/PIMI" letter that I got from
my healthcare insurer. My company would be cleaning house after an
event like that.
Is it worth it?
</rant>
What's wrong with taking reasonable precautions, like running cable
between the labs using a pressurized/alarmed conduit? It (reasonably)
can't be intercepted without setting off the alarm, which demonstrates
due care. If they are across a street, use fibre, which is a real
challenge to tap into (unreasonable effort involved). Again - due care.
Cool quote: "First taking action recommended by experts is responsible,
a best practice, evidence of due-care, and is always preferable to
choosing ad-hoc action as your first alternative." Acute
Risk Management: A Strategy for Security Enhancement By Greg Frascadore
(gaf@isubr.com)
The correct course of action is a simple business decision, and Business
needs to know the facts and the consequences of their actions. Better
to spend a buck now than give two bucks to Uncle Sam and have to spend
the dollar anyway.
George