Great questions, Marlon!
You are correct that it is application/data encryption needed, not
transport security.
Every hospital has a HIPAA Officer. Talk to that person. By 2009, they
all have to have EMR and HIPPA compliance, along with some EDI with
health insurance payers.
- Peter Radizeski
Consultant to the Internet Stars :)
Marlon K. Schafer (509) 982-2181 wrote:
Officially, hippa compliance is a CLIENT issue. As long as the data
is properly encrypted there's no need for the transport to be.
Some will argue this (mainly the telco but sometimes the customer).
It's still a fact.
Questions to ask them.
What do the Doctors use for connectivity to their handheld devices?
Right, wireless.
What is the encryption mechanism on a t-1 or dsl link? Right, none.
What is the security on the cable network? Right, none.
Does the facility have a wireless network? Care to have me break into
it for you? (I'm told that WPA has now been cracked too.)
We went around in circles with a local Sheriff's office on this
issue. In the end it was decided that the only real way to be hippa
compliant was to encrypt the data AT THE PC level. ANYTHING done
after that point was all but useless. They confirmed this with the
DOJ. All that's needed is data security, not transport security. If
transport security is what's wanted then EVERY vlan switch, router
etc. in the loop is a possible security hole. This risk runs end to
end, regardless of the transport medium.
Good luck.
Marlon
--
WISPA Wireless List: [email protected]
Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless
Archives: http://lists.wispa.org/pipermail/wireless/
