Jonathan,
You are correct in assuming that the information passed between your browser
(at your house) and the web server to which you have established an SSL
connection (somewhere on the internet) is encrypted. If someone were to
intercept communication packets from that connection, the information would
be pretty useless, unless they had the encryption key.
Now, then. Straight dial-up connections (as far as I know) can take several
different approaches. You have to be using the same communication protocol
on both sides. Older serial communication protocols (X-modem, Y-Modem) were
used to allow serial communication between two modems. This is what was
used when you dialed up a bulletin board back in the 80's. More recent
accepted connections use TCP/IP which is what the internet uses. This
allows you to belong to a network and communicate with many computers that
are associated with that network. If you are establishing a serial type
connection you can use a protocol like c-Kermit (which supports Open SSL and
Kerberos IV and V http://www.columbia.edu/kermit/ckermit.html). Both
machines must be able to support this protocol. If you are using a TCP/IP
connection, you can use something like SSH (Secure Shell
http://www.ssh.com/products/ssh/) which acts like a telnet session except
that the communication is encrypted. SSH can also be used over the internet
and supports PKI. You can even pipe an X-windows session via SSH. Again,
both sides must be supporting SSH for the communication to take place.
Hope this helps!
Pete Hinden
Teralogix
Phone: 314.785.2630
Toll-Free: 800.835.6705 x2630
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
Sent: Friday, July 27, 2001 8:21 AM
To: [EMAIL PROTECTED]
Subject: RE: Us of Dial up Modems without
Pete,
I have a question. When thinking about SSL, I dial my ISP with my 56k modem
over a phone line. The bank of modems answer and I am now connected to the
Internet. I go to a web page which is using SSL. I think that means that
from the server that the page is running on all the way through the phone
lines to my browser the session is encrypted.. right? So.. if the happens
to
have the proper tools and can "sniff" my telephone line it would be
encrypted
and useless? My question is have you seen any software that uses SSL that
is
outside of the browser arena? Here is my thought... a provider's PC dials a
modem bank at a payer, the P.C. transmits a file of claims using xyz
protocol
but the entire session is encrypted using SSL.
I look forward to your feedback.
Jonathan Showalter
Omaha NE USA
402-343-3381
[EMAIL PROTECTED]
------------------( Forwarded letter 1 follows )--------------------
Date: Thu, 26 Jul 2001 16:39:30 -0500
To: transactions.wedi.org[transactions]@wedi.org
From: [EMAIL PROTECTED]
Sender: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Subject: RE: Us of Dial up Modems without encryption
SSL is encryption. It is an encrypted socket connection. It is not a
protocol. You can pass any protocol (like HTTP for instance) via SSL. The
maximum cipher strength available for a commercial SSL certificate is 128
bits. Has there been a minimum cipher strength published under HIPAA?
I would also suspect that faxes would fall under the same final ruling as
dial-ups, but I have not seen a whole lot of information on faxes either.
Pete Hinden
Advanced Business Fulfillment (ABF)
Phone: 314.785.2630
Toll-Free: 800.835.6705 x2630
-----Original Message-----
From: Tom Drinkard [mailto:[EMAIL PROTECTED]]
Sent: Thursday, July 26, 2001 3:51 PM
To: [EMAIL PROTECTED]
Subject: RE: Us of Dial up Modems without encryption
Connie,
You raise a good point. As far as I know, recent versions of SSL meet the
encryption standards.
I'm not sure how SSL would apply to old-fashioned, asynchronous
communications, however.
Tom Drinkard
EDIT
(678) 795-1251 (voice)
(678) 795-1575 (fax)
[EMAIL PROTECTED]
-----Original Message-----
From: Emery, Connie [mailto:[EMAIL PROTECTED]]
Sent: Thursday, July 26, 2001 4:49 PM
To: '[EMAIL PROTECTED]'
Subject: RE: Us of Dial up Modems without encryption
Tom,
What if your dial-up connection routes through an SSL. Wouldn't this be
considered a "closed" (secure) connection and thus encryption would not be
required?
Connie Emery, CISSP
Director, Information Security
1-877-893-8363 xt 6709
-----Original Message-----
From: Tom Drinkard [mailto:[EMAIL PROTECTED]]
Sent: Thursday, July 26, 2001 3:20 PM
To: Jim Turner; [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: Us of Dial up Modems without encryption
This has yet to be decided. The safest approach is to go ahead and encrypt
now.
The Security NPRM contradicts itself. On the one hand, it considers a
dial-up line to be an open network and, thus, requires encryption.
On the other hand, it states that it may not be an open network for small,
rural providers.
Hopefully, the Security Final Rule, when published, will clarify these
points.
See the Security NPRM p43255
"When using open networks, some form of encryption should be employed. The
utilization of less open systems/networks such as those provided by a
value-added network (VAN) or privatewire arrangement provides sufficient
access controls to allow encryption to be an optional feature. These
controls would be important because of the potential for compromise of
information over open systems such as the Internet or dial-in lines."
See also the Security NPRM p43256
"If this provider chooses to use the Internet to transmit or receive health
information, some form of encryption must be used. For example, the provider
could procure and use commercial software to provide protection against
unauthorized access to the data transmitted or received. (This decision must
take into account what encryption system the message recipient uses.) On the
other hand, health information when transmitted via other means such as
VANs, private wires, or even dial-up connections may not require such
absolute protection as is provided by encryption."
Tom Drinkard
EDIT
(678) 795-1251 (voice)
(678) 795-1575 (fax)
[EMAIL PROTECTED]
-----Original Message-----
From: Jim Turner [mailto:[EMAIL PROTECTED]]
Sent: Thursday, July 26, 2001 4:04 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Us of Dial up Modems without encryption
Does anyone know if the use of dial up modems without encryption is going to
be acceptable for sending and receiving transactions on Oct 2002. The
security preamble implies it may not be acceptable. Point to point phone
conversations can communicate PHI why not point to point modem
communication?
Jim Turner
HIPAA Provider Relations
Blue Cross/Blue Shield of Hawaii
808-948-6445
This electronic message is intended only for the individual or entity to
which it is addressed and may contain information that is confidential and
protected by law. If you are not the intended recipient of this e-mail, you
are cautioned that use of its contents in any way is prohibited and may be
unlawful. If you have received this communication in error, please notify
the sender immediately by e-mail or telephone and return the original
message by e-mail to the sender or to [EMAIL PROTECTED] We will reimburse
you for any cost you incur in notifying us of the errant e-mail. Thank you.
**********************************************************************
To be removed from this list, send a message to: [EMAIL PROTECTED]
Please note that it may take up to 72 hours to process your request.
**********************************************************************
To be removed from this list, send a message to:
[EMAIL PROTECTED]
Please note that it may take up to 72 hours to process your request.
**********************************************************************
To be removed from this list, send a message to:
[EMAIL PROTECTED]
Please note that it may take up to 72 hours to process your request.
**********************************************************************
To be removed from this list, send a message to:
[EMAIL PROTECTED]
Please note that it may take up to 72 hours to process your request.
**********************************************************************
To be removed from this list, send a message to:
[EMAIL PROTECTED]
Please note that it may take up to 72 hours to process your request.
**********************************************************************
To be removed from this list, send a message to:
[EMAIL PROTECTED]
Please note that it may take up to 72 hours to process your request.
**********************************************************************
To be removed from this list, send a message to: [EMAIL PROTECTED]
Please note that it may take up to 72 hours to process your request.
