Pete,
I have a question. When thinking about SSL, I dial my ISP with my 56k modem
over a phone line. The bank of modems answer and I am now connected to the
Internet. I go to a web page which is using SSL. I think that means that
from the server that the page is running on all the way through the phone
lines to my browser the session is encrypted.. right? So.. if the happens to
have the proper tools and can "sniff" my telephone line it would be encrypted
and useless? My question is have you seen any software that uses SSL that is
outside of the browser arena? Here is my thought... a provider's PC dials a
modem bank at a payer, the P.C. transmits a file of claims using xyz protocol
but the entire session is encrypted using SSL.
I look forward to your feedback.
Jonathan Showalter
Omaha NE USA
402-343-3381
[EMAIL PROTECTED]
------------------( Forwarded letter 1 follows )--------------------
Date: Thu, 26 Jul 2001 16:39:30 -0500
To: transactions.wedi.org[transactions]@wedi.org
From: [EMAIL PROTECTED]
Sender: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Subject: RE: Us of Dial up Modems without encryption
SSL is encryption. It is an encrypted socket connection. It is not a
protocol. You can pass any protocol (like HTTP for instance) via SSL. The
maximum cipher strength available for a commercial SSL certificate is 128
bits. Has there been a minimum cipher strength published under HIPAA?
I would also suspect that faxes would fall under the same final ruling as
dial-ups, but I have not seen a whole lot of information on faxes either.
Pete Hinden
Advanced Business Fulfillment (ABF)
Phone: 314.785.2630
Toll-Free: 800.835.6705 x2630
-----Original Message-----
From: Tom Drinkard [mailto:[EMAIL PROTECTED]]
Sent: Thursday, July 26, 2001 3:51 PM
To: [EMAIL PROTECTED]
Subject: RE: Us of Dial up Modems without encryption
Connie,
You raise a good point. As far as I know, recent versions of SSL meet the
encryption standards.
I'm not sure how SSL would apply to old-fashioned, asynchronous
communications, however.
Tom Drinkard
EDIT
(678) 795-1251 (voice)
(678) 795-1575 (fax)
[EMAIL PROTECTED]
-----Original Message-----
From: Emery, Connie [mailto:[EMAIL PROTECTED]]
Sent: Thursday, July 26, 2001 4:49 PM
To: '[EMAIL PROTECTED]'
Subject: RE: Us of Dial up Modems without encryption
Tom,
What if your dial-up connection routes through an SSL. Wouldn't this be
considered a "closed" (secure) connection and thus encryption would not be
required?
Connie Emery, CISSP
Director, Information Security
1-877-893-8363 xt 6709
-----Original Message-----
From: Tom Drinkard [mailto:[EMAIL PROTECTED]]
Sent: Thursday, July 26, 2001 3:20 PM
To: Jim Turner; [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: Us of Dial up Modems without encryption
This has yet to be decided. The safest approach is to go ahead and encrypt
now.
The Security NPRM contradicts itself. On the one hand, it considers a
dial-up line to be an open network and, thus, requires encryption.
On the other hand, it states that it may not be an open network for small,
rural providers.
Hopefully, the Security Final Rule, when published, will clarify these
points.
See the Security NPRM p43255
"When using open networks, some form of encryption should be employed. The
utilization of less open systems/networks such as those provided by a
value-added network (VAN) or privatewire arrangement provides sufficient
access controls to allow encryption to be an optional feature. These
controls would be important because of the potential for compromise of
information over open systems such as the Internet or dial-in lines."
See also the Security NPRM p43256
"If this provider chooses to use the Internet to transmit or receive health
information, some form of encryption must be used. For example, the provider
could procure and use commercial software to provide protection against
unauthorized access to the data transmitted or received. (This decision must
take into account what encryption system the message recipient uses.) On the
other hand, health information when transmitted via other means such as
VANs, private wires, or even dial-up connections may not require such
absolute protection as is provided by encryption."
Tom Drinkard
EDIT
(678) 795-1251 (voice)
(678) 795-1575 (fax)
[EMAIL PROTECTED]
-----Original Message-----
From: Jim Turner [mailto:[EMAIL PROTECTED]]
Sent: Thursday, July 26, 2001 4:04 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Us of Dial up Modems without encryption
Does anyone know if the use of dial up modems without encryption is going to
be acceptable for sending and receiving transactions on Oct 2002. The
security preamble implies it may not be acceptable. Point to point phone
conversations can communicate PHI why not point to point modem
communication?
Jim Turner
HIPAA Provider Relations
Blue Cross/Blue Shield of Hawaii
808-948-6445
This electronic message is intended only for the individual or entity to
which it is addressed and may contain information that is confidential and
protected by law. If you are not the intended recipient of this e-mail, you
are cautioned that use of its contents in any way is prohibited and may be
unlawful. If you have received this communication in error, please notify
the sender immediately by e-mail or telephone and return the original
message by e-mail to the sender or to [EMAIL PROTECTED] We will reimburse
you for any cost you incur in notifying us of the errant e-mail. Thank you.
**********************************************************************
To be removed from this list, send a message to: [EMAIL PROTECTED]
Please note that it may take up to 72 hours to process your request.
**********************************************************************
To be removed from this list, send a message to:
[EMAIL PROTECTED]
Please note that it may take up to 72 hours to process your request.
**********************************************************************
To be removed from this list, send a message to:
[EMAIL PROTECTED]
Please note that it may take up to 72 hours to process your request.
**********************************************************************
To be removed from this list, send a message to:
[EMAIL PROTECTED]
Please note that it may take up to 72 hours to process your request.
**********************************************************************
To be removed from this list, send a message to: [EMAIL PROTECTED]
Please note that it may take up to 72 hours to process your request.
**********************************************************************
To be removed from this list, send a message to: [EMAIL PROTECTED]
Please note that it may take up to 72 hours to process your request.
UnNamed.html
