Security Basics mailing list archives

RE: HIPAA_Compliance

From: "Robinson, Sonja" <SRobinson () HIPUSA com>
Date: Wed, 7 Apr 2004 09:01:18 -0400

HIPAA requires/highly suggests encryption for external traffic not internal
to your LAN.  You must/should encrypt any PHI going external to your network
that travels across public communication lines (i.e. the Internet).  It is a
due diligence thing.  You are NOT required to encrypt within your own LAN
although you may do so.  In addition, you are only required to encrypt PHI,
although I would suggest encrypting financial information as well as other
confidential records such as payroll, hr, etc. that also go outside your
company.

-----Original Message-----
From: Billy Dodson [mailto:billy () pmm-i com]
Sent: Tuesday, April 06, 2004 9:39 AM
To: Robinson, Sonja; paralleluniverse;
security-basics () lists securityfocus com
Subject: RE: HIPAA_Compliance


If you are in a windows enviroment, you can use IPSEC policies within
the domain security policy to encrypt traffic on the LAN.  This is of
course with a very high overhead.  I am not deeply versed in HIPPA
policies.  You can reduce some of the overhead by just encrypting
traffic between domain controllers.  I know that also if you uses Cisco
routers for your WAN, they can be configured to encrypt that traffic as
well. 


Billy Dodson
Network Systems Engineer
Permian Micro Mart
3815 E. 52nd Street
Odessa, TX 79762
432.367.3239 - Direct Line
432.367.6179 x139

-----Original Message-----
From: Robinson, Sonja [mailto:SRobinson () HIPUSA com] 
Sent: Monday, April 05, 2004 3:00 PM
To: 'paralleluniverse'; security-basics () lists securityfocus com
Subject: RE: HIPAA_Compliance

What are you trying to encrypt and from what points?

i.e. PHI in e-mail - suggest Kryptiq, Sigaba, PGP enterprise solutions
depending on your needs you could also use desktop - ssl file
transfer/gateway decryption  VPN -works for communications over telecomm
lines for business partners, subsidiaries, etc.

secure ftp - for file transfer

web file repository - ssl file transfer

Your soultion wil ldepend on what you are looking to encrypt, why and
the to/from points.

-----Original Message-----
From: paralleluniverse [mailto:paralleluniverse () ev1 net]
Sent: Saturday, April 03, 2004 9:48 PM
To: security-basics () lists securityfocus com
Subject: HIPAA_Compliance


Hello to All,

In order to provide security solutions for HIPAA compliance, encryption,
though not required, seems to solve several of the problems. Would
anyone have some suggestions for an inexpensive, easy to deploy,
convenient to use, and easy to train staff, encryption solution? Other
thoughts?

Ron Cohen
FUNEN



------------------------------------------------------------------------
---
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
off any course! All of our class sizes are guaranteed to be 10 students
or less to facilitate one-on-one interaction with one of our expert
instructors. 
Attend a course taught by an expert instructor with years of
in-the-field pen testing experience in our state of the art hacking lab.
Master the skills of an Ethical Hacker to better assess the security of
your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------
----
CONFIDENTIALITY NOTICE: This e-mail transmission, including any
attachments to it, may contain confidential information or protected
health information subject to privacy regulations such as the Health
Insurance Portability and Accountability Act of 1996 (HIPAA). This
transmission is intended only for the use of the recipient(s) named
above. If you are not the intended recipient, or a person responsible
for delivering it to the intended recipient, you are hereby notified
that any disclosure, copying, distribution or use of any of the
information contained in this transmission is STRICTLY PROHIBITED. If
you have received this transmission in error, please immediately notify
me by reply e-mail and destroy the original transmission in its entirety
without saving it in any manner. 

------------------------------------------------------------------------
---
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
off any course! All of our class sizes are guaranteed to be 10 students
or less to facilitate one-on-one interaction with one of our expert
instructors. 
Attend a course taught by an expert instructor with years of
in-the-field pen testing experience in our state of the art hacking lab.
Master the skills of an Ethical Hacker to better assess the security of
your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------
----




---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the
skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
CONFIDENTIALITY NOTICE: This e-mail transmission, including any attachments
to it, may contain confidential information or protected health information
subject to privacy regulations such as the Health Insurance Portability and
Accountability Act of 1996 (HIPAA). This transmission is intended only for
the use of the recipient(s) named above. If you are not the intended
recipient, or a person responsible for delivering it to the intended
recipient, you are hereby notified that any disclosure, copying,
distribution or use of any of the information contained in this transmission
is STRICTLY PROHIBITED. If you have received this transmission in error,
please immediately notify me by reply e-mail and destroy the original
transmission in its entirety without saving it in any manner. 

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

Current thread:

HIPAA_Compliance paralleluniverse (Apr 05)
- <Possible follow-ups>
- RE: HIPAA_Compliance Michael Dunn (Apr 05)
- RE: HIPAA_Compliance Robinson, Sonja (Apr 05)
- RE: HIPAA_Compliance Henry, Christopher M. (Apr 06)
- RE: HIPAA_Compliance Billy Dodson (Apr 06)
  - Re: HIPAA_Compliance David Glosser (Apr 16)
- RE: HIPAA_Compliance Robinson, Sonja (Apr 07)
- HIPAA_Compliance paralleluniverse (Apr 07)
- RE: HIPAA_Compliance Robinson, Sonja (Apr 07)
- RE: HIPAA_Compliance Chris Orzal (Apr 07)
- RE: HIPAA_Compliance Chinnery, Paul (Apr 07)
  - Re: HIPAA_Compliance Ned Fleming (Apr 08)
- Re: HIPAA_Compliance Ned Fleming (Apr 12)
- RE: HIPAA_Compliance Chinnery, Paul (Apr 12)