RE: Winzip & password and e-mail

2002-10-01 Thread timmcguinness
Title: Winzip & password and e-mail



Carolyn, he doesn't exactly say that they are 
transactions.  Only PHI - if they are transactions, I completely agree with 
you.  If they are not, then this would be minimal protection from 
incidental disclosure only - until the security rule deadline requires stronger 
protections.
 


Tim McGuinness, 
Ph.D.

Consulting Specialist in Regulatory 
Privacy, Security, and Application Compliance 
(HIPAA/ASCA/FDA/CMS-HCFA/ICH/ADA 508c), 
[EMAIL PROTECTED] 

 
President,
HIPAA Help 
Now
[EMAIL PROTECTED]
www.hipaahelpnow.com
 
Executive 
Co-Chairman for Privacy,
HIPAA Conformance 
Certification Organization (HCCO)
www.hcco.us
__Phone:   727-787-3901   Cell: 
305-753-4149    Fax: 240-525-1149Instant Messengers:  
ICQ# 22396626 - 
MSN IM: [EMAIL PROTECTED] - Yahoo IM  timmcguinness - AOL 
IM:   mcguinnesstim__
===
IMPORTANT NOTICE: This communication, 
including any attachment, contains information that may be confidential or 
privileged, and is intended solely for the entity or individual to whom it is 
addressed. If you are not the intended recipient, please notify the sender at 
once, and you should delete this message and are hereby notified that any 
disclosure, copying, or distribution of this message is strictly prohibited. 
Nothing in this email, including any attachment, is intended to be a legally 
binding signature.

  -Original Message-From: Price, Carolyn 
  [mailto:[EMAIL PROTECTED]]Sent: Monday, September 30, 2002 4:29 
  PMTo: Fify Taslim; '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]'; 
  '[EMAIL PROTECTED]'Subject: RE: Winzip & password and 
  e-mail
  
  HIPAA mandates that all transactions sent via the web be 
  encrypted.  Since the example you give is NOT encrypted, it is not 
  allowed at all.
  Carolyn Price
  
-Original Message-From: Fify Taslim 
[mailto:[EMAIL PROTECTED]]Sent: Monday, September 30, 2002 
11:40 AMTo: '[EMAIL PROTECTED]'; 'business@wed[i.org'; 
'[EMAIL PROTECTED]'Subject: Winzip & password and 
e-mail

Hello all, 
Thank you in advance for all your valuable the 
responds. I have Privacy issue question 
today. Is this scenario still HIPAA compliant or not allowed at 
all?  Scenario: sending daily file containing member PHI through 
e-mail. The file are zipped [Winzip]and password protected, and no 
encryption were done. 
Any suggestion/recommendation to HIPAA compliance 
are welcome. 
Regards, 
Fify Taslim, MD, 
MBA 
Care1st Health Plan 
Compliance Specialist/HIPAA 
Coordinator Ph. (626) 
299-4299 ex.376 Fx. 
(626) 628-3263 E-mail: [EMAIL PROTECTED] To be 
removed from this list, go to: 
http://snip.wedi.org/unsubscribe.cfm?list=Security and enter your email 
address. 
The WEDI SNIP listserv to which you are subscribed is not moderated. The 
discussions on this listserv therefore represent the views of the 
individual participants, and do not necessarily represent the views of 
the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an 
official opinion, post your question to the WEDI SNIP Issues Database at 
http://snip.wedi.org/tracking/. Posting of advertisements or other 
commercial use of this listserv is specifically prohibited. 
  ** 
  To be removed from this list, go to: 
  http://snip.wedi.org/unsubscribe.cfm?list=Business and enter your email 
  address. The WEDI SNIP listserv to which you are subscribed is not 
  moderated. The discussions on this listserv therefore represent the views 
  of the individual participants, and do not necessarily represent the views 
  of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an 
  official opinion, post your question to the WEDI SNIP Issues Database at 
  http://snip.wedi.org/tracking/. Posting of advertisements or other 
  commercial use of this listserv is specifically prohibited. 


BEGIN:VCARD
VERSION:2.1
N:McGuinness;Tim;;;Ph. D.
FN:Tim McGuinness Ph. D.
ORG:HIPAA Help Now Inc.
TITLE:President
TEL;WORK;VOICE:(727) 787-3901
TEL;CELL;VOICE:(305) 753-4149
TEL;WORK;FAX:(240) 525-1149
ADR;WORK;ENCODING=QUOTED-PRINTABLE:;;Corporate Office:=0D=0A1920 East Hallandale Blvd., Suite 600,;Hallandale B=
each;Florida;33009;United States of America
LABEL;WORK;ENCODING=QUOTED-PRINTABLE:Corporate Office:=0D=0A1920 East Hallandale Blvd., Suite 600,=0D=0AHallandal=
e Beach, Florida 33009=0D=0AUnited States of America
ADR;POSTAL;ENCODING=QUOTED-PRINTABLE:;;Tampa Bay Office:=0D=0A687 First Court;Palm Harbor;Florida;34684;United St=
ates of America
LABEL;POSTAL;ENCODING=QUOTED-PRINTABLE:Tampa B

RE: Winzip & password and e-mail -Reply

2002-09-30 Thread Andrew McLetchie

Carolyn,

That's not wholly accurate.  WinZip password-protected files ARE
encrypted, using WinZip's proprietary Zip 2.0 encryption algorithm.  So,
such a technical security mechanism would conform to the letter of the
rule that mandates all web-transmissions of PHI be encrypted.  However,
it is a recognized WEAK encryption system, and it would be extremely
difficult to make the case to an enforcement body that employing such a
mechanism represents a reasonable application of security controls.

andrew

>>> "Price, Carolyn" <[EMAIL PROTECTED]> 09/30/02 04:29pm >>>
HIPAA mandates that all transactions sent via the web be encrypted. 
Since
the example you give is NOT encrypted, it is not allowed at all.
Carolyn Price

-Original Message-
From: Fify Taslim [mailto:[EMAIL PROTECTED]]
Sent: Monday, September 30, 2002 11:40 AM
To: '[EMAIL PROTECTED]'; 'business@wed 
[i.org';
'[EMAIL PROTECTED]'
Subject: Winzip & password and e-mail





Hello all, 

Thank you in advance for all your valuable the responds. 
I have Privacy issue question today. Is this scenario still HIPAA compliant
or not allowed at all?  Scenario: sending daily file containing member PHI
through e-mail. The file are zipped [Winzip]and password protected, and
no
encryption were done. 

Any suggestion/recommendation to HIPAA compliance are welcome. 

Regards, 

Fify Taslim, MD, MBA 

Care1st Health Plan 
Compliance Specialist/HIPAA Coordinator 
Ph. (626) 299-4299 ex.376 
Fx. (626) 628-3263 
E-mail: [EMAIL PROTECTED] 


To be removed from this list, go to:
http://snip.wedi.org/unsubscribe.cfm?list=Security 
and enter your email address. 



The WEDI SNIP listserv to which you are subscribed is not moderated.
The 
discussions on this listserv therefore represent the views of the
individual

participants, and do not necessarily represent the views of the WEDI
Board
of 
Directors nor WEDI SNIP. If you wish to receive an official opinion, post 
your question to the WEDI SNIP Issues Database at 
http://snip.wedi.org/tracking/. 
Posting of advertisements or other commercial use of this listserv is 
specifically prohibited. 



To be removed from this list, go to:
http://snip.wedi.org/unsubscribe.cfm?list=Security
and enter your email address.

The WEDI SNIP listserv to which you are subscribed is not
moderated.  The
discussions on this listserv therefore represent the views of the
individual
participants, and do not necessarily represent the views of the WEDI
Board of
Directors nor WEDI SNIP.  If you wish to receive an official opinion, post
your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/.
Posting of advertisements or other commercial use of this listserv is
specifically prohibited.

To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=Security
and enter your email address.

The WEDI SNIP listserv to which you are subscribed is not moderated.  The
discussions on this listserv therefore represent the views of the individual
participants, and do not necessarily represent the views of the WEDI Board of
Directors nor WEDI SNIP.  If you wish to receive an official opinion, post
your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/.
Posting of advertisements or other commercial use of this listserv is
specifically prohibited.




RE: Winzip & password and e-mail

2002-09-30 Thread Price, Carolyn
Title: Winzip & password and e-mail





HIPAA 
mandates that all transactions sent via the web be encrypted.  Since the 
example you give is NOT encrypted, it is not allowed at all.
Carolyn Price

  -Original Message-From: Fify Taslim 
  [mailto:[EMAIL PROTECTED]]Sent: Monday, September 30, 2002 11:40 
  AMTo: '[EMAIL PROTECTED]'; 'business@wed[i.org'; 
  '[EMAIL PROTECTED]'Subject: Winzip & password and 
  e-mail
  
  Hello all, 
  Thank you in advance for all your valuable the 
  responds. I have Privacy issue question 
  today. Is this scenario still HIPAA compliant or not allowed at all?  
  Scenario: sending daily file containing member PHI through e-mail. The 
  file are zipped [Winzip]and password protected, and no encryption were done. 
  
  Any suggestion/recommendation to HIPAA compliance 
  are welcome. 
  Regards, 
  Fify Taslim, MD, 
  MBA 
  Care1st Health Plan 
  Compliance Specialist/HIPAA 
  Coordinator Ph. (626) 
  299-4299 ex.376 Fx. 
  (626) 628-3263 E-mail: [EMAIL PROTECTED] To be 
  removed from this list, go to: 
  http://snip.wedi.org/unsubscribe.cfm?list=Security and enter your email 
  address. 
  The WEDI SNIP listserv to which you are subscribed is not moderated. The 
  discussions on this listserv therefore represent the views of the 
  individual participants, and do not necessarily represent the views of the 
  WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official 
  opinion, post your question to the WEDI SNIP Issues Database at 
  http://snip.wedi.org/tracking/. Posting of advertisements or other 
  commercial use of this listserv is specifically prohibited. 



To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=Security

and enter your email address.



The WEDI SNIP listserv to which you are subscribed is not moderated.  The

discussions on this listserv therefore represent the views of the individual

participants, and do not necessarily represent the views of the WEDI Board of

Directors nor WEDI SNIP.  If you wish to receive an official opinion, post

your question to the WEDI SNIP Issues Database at

http://snip.wedi.org/tracking/.

Posting of advertisements or other commercial use of this listserv is

specifically prohibited.



RE: Winzip & password and e-mail -Reply

2002-09-30 Thread Andrew McLetchie

Jerry,

I have to disagree.  I think that using WinZip's proprietary Zip 2.0 encryption format 
would NOT be considered an acceptable method for transfer of PHI over a public network 
(i.e., emailing over the internet).  First, there is government precedent for this in 
CMS's (previously HCFA's) internet security policy, which specifies minimum standards 
for encryption, and clearly states that organizations should keep abreast of 
developments in hacking and encryption capabilities and continually upgrade their 
encryption standards as technology allows/necessitates.

Second, as we all know, since there are no granular requirements in the Privacy or 
Security rule that say you must use at least this type of encryption, compliance here 
will be based on the extent to which the organization has assessed the risk involved 
with PHI data transmission and has applied reasonable controls to minimize that risk.  
With freely available tools that can crack any WinZip password-protected archive, it 
would be difficult to make the case for that as a reasonable control commensurate with 
the risk of unauthorized disclosure.

Third, from a conceptual security standpoint, proprietary encryption algorithms must 
always be suspect, and avoided where possible.  I would suggest a good general rule is 
to use open, standards-based technology in all areas of security.  The Zip 2.0 
algorithm is recognized by its own developer to be a weak encryption system:

"Password protecting files in a Zip file provides a measure of protection against 
casual users who don't have the password and are trying to determine the contents of 
your files. The Zip 2.0 encryption format, however, is not as secure as DES and the 
RSA public key formats used by programs such as PGP, and does not provide absolute 
protection against determined individuals with advanced cryptographic tools. If you 
require strong encryption, we recommend you use a specialized encryption software 
instead of the Zip 2.0 encryption format. Copyright © 1991-2000 by WinZip Computing, 
Inc. All rights reserved."

As Mr. Blucker noted, it is a mere triviality to crack a password protected WinZip 
file (not even requiring determined individuals with "advanced cryptographic tools").

Our policy is to transmit NO PHI (or other confidential information) over any shared 
network with anything less than PGP encryption.  Where possible, we search for better 
technical security mechanisms, such as using a secure FTP or SSH session for the data 
transfer rather than email.  Again, it's all a matter of assessing risk and applying 
controls commensurate with that risk.  I will be so bold as to suggest that 
transmission of sensitive data (of any kind) via email presents a VERY HIGH risk of 
information leakage (or unauthorized disclosure in our specific instance).  Applying a 
known-weak encryption algorithm to such data transmissions would likely be viewed as 
an insufficient control by any enforcement body.

Andrew S. McLetchie, CISSP, GCIH
Information Security Analyst
Sparrow Health System
Lansing, MI
517.364.6530

>>> "Ely, Jerry" <[EMAIL PROTECTED]> 09/30/02 02:50pm >>>
Hi Fify.
Just a comment on encryption. If you are using a password with winzip, then
you are using encryption, although not as secure as DES and the RSA public
key formats used by programs such as PGP. 
I believe it would still be an acceptable method at this point in time. 
 
Jerry E. Ely 
Programming Supervisor
Warren General Hospital
Phone: 814-723-4973 x1865
Mail to: [EMAIL PROTECTED]  
 
 

-Original Message-
From: Fify Taslim [mailto:[EMAIL PROTECTED]]
Sent: Monday, September 30, 2002 2:40 PM
To: '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]'
Subject: Winzip & password and e-mail





Hello all, 

Thank you in advance for all your valuable the responds. 
I have Privacy issue question today. Is this scenario still HIPAA compliant
or not allowed at all?  Scenario: sending daily file containing member PHI
through e-mail. The file are zipped [Winzip]and password protected, and no
encryption were done. 

Any suggestion/recommendation to HIPAA compliance are welcome. 

Regards, 

Fify Taslim, MD, MBA 

Care1st Health Plan 
Compliance Specialist/HIPAA Coordinator 
Ph. (626) 299-4299 ex.376 
Fx. (626) 628-3263 
E-mail: [EMAIL PROTECTED] 


To be removed from this list, go to:
http://snip.wedi.org/unsubscribe.cfm?list=Security 
and enter your email address. 



The WEDI SNIP listserv to which you are subscribed is not moderated. The 
discussions on this listserv therefore represent the views of the individual

participants, and do not necessarily represent the views of the WEDI Board
of 
Directors nor WEDI SNIP. If you wish to receive an official opinion, post 
your question to the WEDI SNIP Issues Database at 
http://snip.wedi.org/tracking/. 
Posting of advertisements or other commercial use of this listserv is 
specifically prohibited. 



To be removed from this 

Re: Winzip & password and e-mail

2002-09-30 Thread Rob D Blucker/MMA



Files that are zipped with WinZip etc with a password are very easily cracked.  For example, go to download.com and get a program named "Ultimate Zip Cracker".  I used this to demonstrate to users at our company that it wasn't safe.  If you encrypt and zip to a self extracting exe it is better but still not the greatest.  We are looking at moving these types of file transfers to PGP or secure FTP but until then we are using the files encrypted and zipped to an exe.  

Rob Blucker
IT Architecture
Mennonite Mutual Aid Inc.








Fify Taslim <[EMAIL PROTECTED]>
09/30/2002 01:39 PM

        
        To:        "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>, "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>, "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
        cc:        
        Subject:        Winzip & password and e-mail




Hello all, 
Thank you in advance for all your valuable the responds. 
I have Privacy issue question today. Is this scenario still HIPAA compliant or not allowed at all?  Scenario: sending daily file containing member PHI through e-mail. The file are zipped [Winzip]and password protected, and no encryption were done. 
Any suggestion/recommendation to HIPAA compliance are welcome. 
Regards, 
Fify Taslim, MD, MBA 
Care1st Health Plan 
Compliance Specialist/HIPAA Coordinator 
Ph. (626) 299-4299 ex.376 
Fx. (626) 628-3263 
E-mail: [EMAIL PROTECTED] 

To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=Security 
and enter your email address. 

The WEDI SNIP listserv to which you are subscribed is not moderated. The 
discussions on this listserv therefore represent the views of the individual 
participants, and do not necessarily represent the views of the WEDI Board of 
Directors nor WEDI SNIP. If you wish to receive an official opinion, post 
your question to the WEDI SNIP Issues Database at 
http://snip.wedi.org/tracking/. 
Posting of advertisements or other commercial use of this listserv is 
specifically prohibited. 



To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=Security
and enter your email address.

The WEDI SNIP listserv to which you are subscribed is not moderated.  The
discussions on this listserv therefore represent the views of the individual
participants, and do not necessarily represent the views of the WEDI Board of
Directors nor WEDI SNIP.  If you wish to receive an official opinion, post
your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/.
Posting of advertisements or other commercial use of this listserv is
specifically prohibited.


RE: Winzip & password and e-mail

2002-09-30 Thread Rachel Foerster
Title: Winzip & password and e-mail





Fify,
 
Several 
weeks ago there was extensive discussion on this topic on the HIPAAlive 
discussion list. I suggest you also search that list's archives to extract that 
message thread.
 
In any case, 
net result/conclusion of that discussion was that PKZIP'd documents would not 
meet the HIPAA privacy/security requirements.
 
Rachel

Rachel Foerster
Principal
Rachel Foerster & 
Associates, Ltd.
39432 North 
Avenue
Beach Park, IL 
60099
Voice: 
847-872-8070
Fax: 
847-872-6860
eMail: [EMAIL PROTECTED]
http://www.rfa-edi.com

  -Original Message-From: Fify Taslim 
  [mailto:[EMAIL PROTECTED]]Sent: Monday, September 30, 2002 1:40 
  PMTo: '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]'; 
  '[EMAIL PROTECTED]'Subject: Winzip & password and 
  e-mail
  
  Hello all, 
  Thank you in advance for all your valuable the 
  responds. I have Privacy issue question 
  today. Is this scenario still HIPAA compliant or not allowed at all?  
  Scenario: sending daily file containing member PHI through e-mail. The 
  file are zipped [Winzip]and password protected, and no encryption were done. 
  
  Any suggestion/recommendation to HIPAA compliance 
  are welcome. 
  Regards, 
  Fify Taslim, MD, 
  MBA 
  Care1st Health Plan 
  Compliance Specialist/HIPAA 
  Coordinator Ph. (626) 
  299-4299 ex.376 Fx. 
  (626) 628-3263 E-mail: [EMAIL PROTECTED] 



To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=Security

and enter your email address.



The WEDI SNIP listserv to which you are subscribed is not moderated.  The

discussions on this listserv therefore represent the views of the individual

participants, and do not necessarily represent the views of the WEDI Board of

Directors nor WEDI SNIP.  If you wish to receive an official opinion, post

your question to the WEDI SNIP Issues Database at

http://snip.wedi.org/tracking/.

Posting of advertisements or other commercial use of this listserv is

specifically prohibited.



RE: Winzip & password and e-mail

2002-09-30 Thread Ely, Jerry
Title: Winzip & password and e-mail





Hi Fify.
Just a comment on encryption. If you are using a password with winzip, 
then you are using encryption, although not as secure as DES and the RSA 
public key formats used by programs such as PGP. 
I believe it would still be an acceptable method at this point in time. 

 

Jerry E. Ely 
Programming Supervisor
Warren General Hospital
Phone: 814-723-4973 
x1865
Mail to: [EMAIL PROTECTED]
 
 

  -Original Message-From: Fify Taslim 
  [mailto:[EMAIL PROTECTED]]Sent: Monday, September 30, 2002 2:40 
  PMTo: '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]'; 
  '[EMAIL PROTECTED]'Subject: Winzip & password and 
  e-mail
  
  Hello all, 
  Thank you in advance for all your valuable the 
  responds. I have Privacy issue question 
  today. Is this scenario still HIPAA compliant or not allowed at all?  
  Scenario: sending daily file containing member PHI through e-mail. The 
  file are zipped [Winzip]and password protected, and no encryption were done. 
  
  Any suggestion/recommendation to HIPAA compliance 
  are welcome. 
  Regards, 
  Fify Taslim, MD, 
  MBA 
  Care1st Health Plan 
  Compliance Specialist/HIPAA 
  Coordinator Ph. (626) 
  299-4299 ex.376 Fx. 
  (626) 628-3263 E-mail: [EMAIL PROTECTED] To be 
  removed from this list, go to: 
  http://snip.wedi.org/unsubscribe.cfm?list=Security and enter your email 
  address. 
  The WEDI SNIP listserv to which you are subscribed is not moderated. The 
  discussions on this listserv therefore represent the views of the 
  individual participants, and do not necessarily represent the views of the 
  WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official 
  opinion, post your question to the WEDI SNIP Issues Database at 
  http://snip.wedi.org/tracking/. Posting of advertisements or other 
  commercial use of this listserv is specifically prohibited. 



To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=Security

and enter your email address.



The WEDI SNIP listserv to which you are subscribed is not moderated.  The

discussions on this listserv therefore represent the views of the individual

participants, and do not necessarily represent the views of the WEDI Board of

Directors nor WEDI SNIP.  If you wish to receive an official opinion, post

your question to the WEDI SNIP Issues Database at

http://snip.wedi.org/tracking/.

Posting of advertisements or other commercial use of this listserv is

specifically prohibited.