Jerry,

I have to disagree.  I think that using WinZip's proprietary Zip 2.0 encryption format 
would NOT be considered an acceptable method for transfer of PHI over a public network 
(i.e., emailing over the internet).  First, there is government precedent for this in 
CMS's (previously HCFA's) internet security policy, which specifies minimum standards 
for encryption, and clearly states that organizations should keep abreast of 
developments in hacking and encryption capabilities and continually upgrade their 
encryption standards as technology allows/necessitates.

Second, as we all know, since there are no granular requirements in the Privacy or 
Security rule that say you must use at least this type of encryption, compliance here 
will be based on the extent to which the organization has assessed the risk involved 
with PHI data transmission and has applied reasonable controls to minimize that risk.  
With freely available tools that can crack any WinZip password-protected archive, it 
would be difficult to make the case for that as a reasonable control commensurate with 
the risk of unauthorized disclosure.

Third, from a conceptual security standpoint, proprietary encryption algorithms must 
always be suspect, and avoided where possible.  I would suggest a good general rule is 
to use open, standards-based technology in all areas of security.  The Zip 2.0 
algorithm is recognized by its own developer to be a weak encryption system:

"Password protecting files in a Zip file provides a measure of protection against 
casual users who don't have the password and are trying to determine the contents of 
your files. The Zip 2.0 encryption format, however, is not as secure as DES and the 
RSA public key formats used by programs such as PGP, and does not provide absolute 
protection against determined individuals with advanced cryptographic tools. If you 
require strong encryption, we recommend you use a specialized encryption software 
instead of the Zip 2.0 encryption format. Copyright © 1991-2000 by WinZip Computing, 
Inc. All rights reserved."

As Mr. Blucker noted, it is a mere triviality to crack a password protected WinZip 
file (not even requiring determined individuals with "advanced cryptographic tools").

Our policy is to transmit NO PHI (or other confidential information) over any shared 
network with anything less than PGP encryption.  Where possible, we search for better 
technical security mechanisms, such as using a secure FTP or SSH session for the data 
transfer rather than email.  Again, it's all a matter of assessing risk and applying 
controls commensurate with that risk.  I will be so bold as to suggest that 
transmission of sensitive data (of any kind) via email presents a VERY HIGH risk of 
information leakage (or unauthorized disclosure in our specific instance).  Applying a 
known-weak encryption algorithm to such data transmissions would likely be viewed as 
an insufficient control by any enforcement body.

Andrew S. McLetchie, CISSP, GCIH
Information Security Analyst
Sparrow Health System
Lansing, MI
517.364.6530

>>> "Ely, Jerry" <[EMAIL PROTECTED]> 09/30/02 02:50pm >>>
Hi Fify.
Just a comment on encryption. If you are using a password with winzip, then
you are using encryption, although not as secure as DES and the RSA public
key formats used by programs such as PGP. 
I believe it would still be an acceptable method at this point in time. 
 
Jerry E. Ely 
Programming Supervisor
Warren General Hospital
Phone: 814-723-4973 x1865
Mail to: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> 
 
 

-----Original Message-----
From: Fify Taslim [mailto:[EMAIL PROTECTED]]
Sent: Monday, September 30, 2002 2:40 PM
To: '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]'
Subject: Winzip & password and e-mail





Hello all, 

Thank you in advance for all your valuable the responds. 
I have Privacy issue question today. Is this scenario still HIPAA compliant
or not allowed at all?  Scenario: sending daily file containing member PHI
through e-mail. The file are zipped [Winzip]and password protected, and no
encryption were done. 

Any suggestion/recommendation to HIPAA compliance are welcome. 

Regards, 

Fify Taslim, MD, MBA 

Care1st Health Plan 
Compliance Specialist/HIPAA Coordinator 
Ph. (626) 299-4299 ex.376 
Fx. (626) 628-3263 
E-mail: [EMAIL PROTECTED] 


To be removed from this list, go to:
http://snip.wedi.org/unsubscribe.cfm?list=Security 
and enter your email address. 



The WEDI SNIP listserv to which you are subscribed is not moderated. The 
discussions on this listserv therefore represent the views of the individual

participants, and do not necessarily represent the views of the WEDI Board
of 
Directors nor WEDI SNIP. If you wish to receive an official opinion, post 
your question to the WEDI SNIP Issues Database at 
http://snip.wedi.org/tracking/. 
Posting of advertisements or other commercial use of this listserv is 
specifically prohibited. 



To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=Security
and enter your email address.

<P>The WEDI SNIP listserv to which you are subscribed is not moderated.  The
discussions on this listserv therefore represent the views of the individual
participants, and do not necessarily represent the views of the WEDI Board of
Directors nor WEDI SNIP.  If you wish to receive an official opinion, post
your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/.
Posting of advertisements or other commercial use of this listserv is
specifically prohibited.

To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=Security
and enter your email address.

<P>The WEDI SNIP listserv to which you are subscribed is not moderated.  The
discussions on this listserv therefore represent the views of the individual
participants, and do not necessarily represent the views of the WEDI Board of
Directors nor WEDI SNIP.  If you wish to receive an official opinion, post
your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/.
Posting of advertisements or other commercial use of this listserv is
specifically prohibited.

Reply via email to