RE: Web authentication for HIPAA

Thu, 07 Feb 2002 12:08:33 -0800

Title: RE: Web authentication for HIPAA


The position I've taken within my organization is that if Patient information is accessible from the Internet it needs to be protected by some form of strong or 2-factor authentication, as well as encryption.

Two-factor authentication could be an ID, a strong password and a digital certificate.

Jeff Bell
Director of Information Technology
Visiting Nurse Association of Southeast Michigan

-----Original Message-----
From: Hooser, Larry [mailto:[EMAIL PROTECTED]]
Sent: Thursday, February 07, 2002 1:42 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Web authentication for HIPAA

HIPAA does not require digital certificates for web authentication.  There
is a reason for that related to cost, overhead, customer impact, lack of
standardization, and others.  Some also are not convinced that they add a
great deal of value to security.  Ultimately, if the user shares the pin
number, you have the same security breach as sharing the username and
password.  There are some physical access improvements, but the question is
are they substantial.

I believe that strong, rules-based usernames and passwords, along with
effective identification and issuance processes, does provide "reasonable
care" and effective web authentication.  I also agree that digital
certificates may have their place in some cases.

Is there anyone out there planning to use strong, rules-based
usernames/passwords for HIPAA web authentication - or are all of you leaning
toward PKI as the ONLY authentication method?  Where portability, cost,
customer impact, performance, and other consideration are of concern in
using digital certificates, can usernames/passwords be a viable, trusted
alternative?

Feedback appreciated.

Larry D. Hooser
DSHS/MAA WMS Security Manager/HIPAA Consultant
617 8th Ave SE, Bldg 1 - 4th Floor
Olympia, WA 98504-5511
email: [EMAIL PROTECTED]
Phone:  360.725.1236



**********************************************************************
To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy
and enter your email address.


**********************************************************************
To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy
and enter your email address.

Reply via email to