Jerry, I have to disagree. I think that using WinZip's proprietary Zip 2.0 encryption format would NOT be considered an acceptable method for transfer of PHI over a public network (i.e., emailing over the internet). First, there is government precedent for this in CMS's (previously HCFA's) internet security policy, which specifies minimum standards for encryption, and clearly states that organizations should keep abreast of developments in hacking and encryption capabilities and continually upgrade their encryption standards as technology allows/necessitates.
Second, as we all know, since there are no granular requirements in the Privacy or Security rule that say you must use at least this type of encryption, compliance here will be based on the extent to which the organization has assessed the risk involved with PHI data transmission and has applied reasonable controls to minimize that risk. With freely available tools that can crack any WinZip password-protected archive, it would be difficult to make the case for that as a reasonable control commensurate with the risk of unauthorized disclosure. Third, from a conceptual security standpoint, proprietary encryption algorithms must always be suspect, and avoided where possible. I would suggest a good general rule is to use open, standards-based technology in all areas of security. The Zip 2.0 algorithm is recognized by its own developer to be a weak encryption system: "Password protecting files in a Zip file provides a measure of protection against casual users who don't have the password and are trying to determine the contents of your files. The Zip 2.0 encryption format, however, is not as secure as DES and the RSA public key formats used by programs such as PGP, and does not provide absolute protection against determined individuals with advanced cryptographic tools. If you require strong encryption, we recommend you use a specialized encryption software instead of the Zip 2.0 encryption format. Copyright © 1991-2000 by WinZip Computing, Inc. All rights reserved." As Mr. Blucker noted, it is a mere triviality to crack a password protected WinZip file (not even requiring determined individuals with "advanced cryptographic tools"). Our policy is to transmit NO PHI (or other confidential information) over any shared network with anything less than PGP encryption. Where possible, we search for better technical security mechanisms, such as using a secure FTP or SSH session for the data transfer rather than email. Again, it's all a matter of assessing risk and applying controls commensurate with that risk. I will be so bold as to suggest that transmission of sensitive data (of any kind) via email presents a VERY HIGH risk of information leakage (or unauthorized disclosure in our specific instance). Applying a known-weak encryption algorithm to such data transmissions would likely be viewed as an insufficient control by any enforcement body. Andrew S. McLetchie, CISSP, GCIH Information Security Analyst Sparrow Health System Lansing, MI 517.364.6530 >>> "Ely, Jerry" <[EMAIL PROTECTED]> 09/30/02 02:50pm >>> Hi Fify. Just a comment on encryption. If you are using a password with winzip, then you are using encryption, although not as secure as DES and the RSA public key formats used by programs such as PGP. I believe it would still be an acceptable method at this point in time. Jerry E. Ely Programming Supervisor Warren General Hospital Phone: 814-723-4973 x1865 Mail to: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> -----Original Message----- From: Fify Taslim [mailto:[EMAIL PROTECTED]] Sent: Monday, September 30, 2002 2:40 PM To: '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]' Subject: Winzip & password and e-mail Hello all, Thank you in advance for all your valuable the responds. I have Privacy issue question today. Is this scenario still HIPAA compliant or not allowed at all? Scenario: sending daily file containing member PHI through e-mail. The file are zipped [Winzip]and password protected, and no encryption were done. Any suggestion/recommendation to HIPAA compliance are welcome. Regards, Fify Taslim, MD, MBA Care1st Health Plan Compliance Specialist/HIPAA Coordinator Ph. (626) 299-4299 ex.376 Fx. (626) 628-3263 E-mail: [EMAIL PROTECTED] To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=Security and enter your email address. The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. Posting of advertisements or other commercial use of this listserv is specifically prohibited. To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=Security and enter your email address. <P>The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. Posting of advertisements or other commercial use of this listserv is specifically prohibited. To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=Security and enter your email address. <P>The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. Posting of advertisements or other commercial use of this listserv is specifically prohibited.