HIPAA does not require digital certificates for web authentication. There is a reason for that related to cost, overhead, customer impact, lack of standardization, and others. Some also are not convinced that they add a great deal of value to security. Ultimately, if the user shares the pin number, you have the same security breach as sharing the username and password. There are some physical access improvements, but the question is are they substantial.
I believe that strong, rules-based usernames and passwords, along with effective identification and issuance processes, does provide "reasonable care" and effective web authentication. I also agree that digital certificates may have their place in some cases. Is there anyone out there planning to use strong, rules-based usernames/passwords for HIPAA web authentication - or are all of you leaning toward PKI as the ONLY authentication method? Where portability, cost, customer impact, performance, and other consideration are of concern in using digital certificates, can usernames/passwords be a viable, trusted alternative? Feedback appreciated. Larry D. Hooser DSHS/MAA WMS Security Manager/HIPAA Consultant 617 8th Ave SE, Bldg 1 - 4th Floor Olympia, WA 98504-5511 email: [EMAIL PROTECTED] Phone: 360.725.1236 ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy and enter your email address.
