Larry, When HIPAA protected data is accessed via a web server the custodian of the data must protect against un-authorized access. This problem has a different twist than the way you would normally think about it. Typically, HIPAA data would not be pulled from a website (in that case you would have to guarantee the identity of the receiving party) but rather pushed to the site in the case of a provider sending a claim request to a clearing house. In this example, it is the provider who is responsible to guarantee the identity of the clearing house.
When a clearing house website uses SSL and a Certification Authority (CA), a number of things happen. The providers web browser gets an encrypted packet from the clearing house containing a guarantee from the CA that the clearing house is who they claim to be. It is our opinion that the CA guarantee combined with a proper business partner agreement is sufficient to transfer the data. The other side of this coin are the issues surrounding the receiver of the data. The clearing house needs to be reasonably sure that the data they receive is from a known source otherwise the quality of their service could be impacted. Unfortunately, SSL does nothing to address this issue and that is where the discussion of passwords versus digital certificates comes into play. The problem with passwords (even strong passwords), is that users tend to do thinks like write them on sticky notes and paste them on their screens. Because the issuer of the password (clearing house) can not control how the password is used, it does not really provide a strong guarantee that the user is who they claim they are. They are however better than no authentication at all. Digital Certificates, on the other hand will provide a guarantee to the receiver that the sender is who they claim to be. This is really an issue receiver of the data has to resolve. Although Digital Certificates are not required by HIPAA, the receiver has to decide how this may impact their quality of service. Hope this helps, Chris Riley, CISSP Information Tool Designers Inc. http://aegis.info-tools.com/ "Hooser, Larry" wrote: > HIPAA does not require digital certificates for web authentication. There > is a reason for that related to cost, overhead, customer impact, lack of > standardization, and others. Some also are not convinced that they add a > great deal of value to security. Ultimately, if the user shares the pin > number, you have the same security breach as sharing the username and > password. There are some physical access improvements, but the question is > are they substantial. > > I believe that strong, rules-based usernames and passwords, along with > effective identification and issuance processes, does provide "reasonable > care" and effective web authentication. I also agree that digital > certificates may have their place in some cases. > > Is there anyone out there planning to use strong, rules-based > usernames/passwords for HIPAA web authentication - or are all of you leaning > toward PKI as the ONLY authentication method? Where portability, cost, > customer impact, performance, and other consideration are of concern in > using digital certificates, can usernames/passwords be a viable, trusted > alternative? > > Feedback appreciated. > > Larry D. Hooser > DSHS/MAA WMS Security Manager/HIPAA Consultant > 617 8th Ave SE, Bldg 1 - 4th Floor > Olympia, WA 98504-5511 > email: [EMAIL PROTECTED] > Phone: 360.725.1236 > > ********************************************************************** > To be removed from this list, go to: >http://snip.wedi.org/unsubscribe.cfm?list=privacy > and enter your email address. -- ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy and enter your email address.
