RE: Us of Dial up Modems without encryption

[Pete Hinden]

SSL is encryption.  It is an encrypted socket connection. It is not a protocol.  You can pass any protocol (like HTTP for instance) via SSL.  The maximum cipher strength available for a commercial SSL certificate is 128 bits.  Has there been a minimum cipher strength published under HIPAA?    I would also suspect that faxes would fall under the same final ruling as dial-ups, but I have not seen a whole lot of information on faxes either.   Pete Hinden Advanced Business Fulfillment (ABF) Phone: 314.785.2630 Toll-Free: 800.835.6705 x2630   -----Original Message----- From: Tom Drinkard [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 26, 2001 3:51 PM To: [EMAIL PROTECTED] Subject: RE: Us of Dial up Modems without encryption Connie, You raise a good point.  As far as I know, recent versions of SSL meet the encryption standards. I’m not sure how SSL would apply to old-fashioned, asynchronous communications, however.   Tom Drinkard EDIT (678) 795-1251 (voice) (678) 795-1575 (fax) [EMAIL PROTECTED]   -----Original Message----- From: Emery, Connie [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 26, 2001 4:49 PM To: '[EMAIL PROTECTED]' Subject: RE: Us of Dial up Modems without encryption   Tom,   What if your dial-up connection routes through an SSL.  Wouldn't this be considered a "closed" (secure) connection and thus encryption would not be required?   Connie Emery, CISSP Director, Information Security 1-877-893-8363 xt 6709 -----Original Message----- From: Tom Drinkard [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 26, 2001 3:20 PM To: Jim Turner; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: Us of Dial up Modems without encryption This has yet to be decided.  The safest approach is to go ahead and encrypt now. The Security NPRM contradicts itself.  On the one hand, it considers a dial-up line to be an open network and, thus, requires encryption. On the other hand, it states that it may not be an open network for small, rural providers.   Hopefully, the Security Final Rule, when published, will clarify these points.   See the Security NPRM p43255 “When using open networks, some form of encryption should be employed. The utilization of less open systems/networks such as those provided by a value-added network (VAN) or privatewire arrangement provides sufficient access controls to allow encryption to be an optional feature. These controls would be important because of the potential for compromise of information over open systems such as the Internet or dial-in lines.”   See also the Security NPRM p43256 “If this provider chooses to use the Internet to transmit or receive health information, some form of encryption must be used. For example, the provider could procure and use commercial software to provide protection against unauthorized access to the data transmitted or received. (This decision must take into account what encryption system the message recipient uses.) On the other hand, health information when transmitted via other means such as VANs, private wires, or even dial-up connections may not require such absolute protection as is provided by encryption.”     Tom Drinkard EDIT (678) 795-1251 (voice) (678) 795-1575 (fax) [EMAIL PROTECTED]   -----Original Message----- From: Jim Turner [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 26, 2001 4:04 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Us of Dial up Modems without encryption   Does anyone know if the use of dial up modems without encryption is going to be acceptable for sending and receiving transactions on Oct 2002.  The security preamble implies it may not be acceptable.  Point to point phone conversations can communicate PHI why not point to point modem communication?   Jim Turner HIPAA Provider Relations Blue Cross/Blue Shield of Hawaii 808-948-6445   This electronic message is intended only for the individual or entity to which it is addressed and may contain information that is confidential and protected by law. If you are not the intended recipient of this e-mail, you are cautioned that use of its contents in any way is prohibited and may be unlawful. If you have received this communication in error, please notify the sender immediately by e-mail or telephone and return the original message by e-mail to the sender or to [EMAIL PROTECTED] We will reimburse you for any cost you incur in notifying us of the errant e-mail. Thank you.   ********************************************************************** To be removed from this list, send a message to: [EMAIL PROTECTED] Please note that it may take up to 72 hours to process your request. ********************************************************************** To be removed from this list, send a message to: [EMAIL PROTECTED] Please note that it may take up to 72 hours to process your request. ********************************************************************** To be removed from this list, send a message to: [EMAIL PROTECTED] Please note that it may take up to 72 hours to process your request. ********************************************************************** To be removed from this list, send a message to: [EMAIL PROTECTED] Please note that it may take up to 72 hours to process your request. ********************************************************************** To be removed from this list, send a message to: [EMAIL PROTECTED] Please note that it may take up to 72 hours to process your request.