Security Basics mailing list archives
RE: HIPAA and endpoint certification
From: "Eggleston, Mark" <meggleston () HEALTHPART COM>
Date: Mon, 26 Feb 2007 10:47:57 -0500
HIPAA makes no mention certification of endpoints for the transmission of PHI (Protected Health Information). You would however, be following the intent of the law if you establish authentication and authorization mechanisms for those wishing to connect to your LAN. Either implementation method you mention below would meet the intent of HIPAA's security rule. For additional information, see the following page which not only offers the rule itself, but also a recently released guidance document on remote connectivity: http://www.cms.hhs.gov/SecurityStandard/ As far as a specific reference, I would direct you to the rules "technical safeguards" section; specifically 164.312(d) "Person or Entity Authentication" which states "Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed." Regards, Mark Eggleston Manager, Security and Business Continuity Information Services Health Partners of Philadelphia, Inc. (215) 991-4388 -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Jarrod Frates Sent: Friday, February 23, 2007 7:47 PM To: security-basics () securityfocus com Subject: HIPAA and endpoint certification I need to get some clarification on the requirements regarding certification of endpoints in transmission of HIPAA material. As part of a wireless project that is beginning soon, we're evaluating the various EAP types available to us regarding practicality, support availability, and (of course) regulatory compliance. While we're planning on using only EAP types that require a server-side certificate at a minimum, are there any requirements for the client side? It is my understanding that we have to know *who* is connecting to the network, but is a client-side certificate required for this purpose, or is it sufficient to authenticate against a user database of some sort? Any references to specific code (even at a section level) would be greatly appreciated. -- Jarrod Frates GAWN ----------------------------------------- All the information contained in this electronic communication and any attachments is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are hereby notified that you should not disseminate, distribute or copy any portion of this electronic communication. If you have received this message in error, please notify the sender by replying to this email and immediately deleting any and all copies you may have inadvertently made. --------------------------------------------------------------------------- This list is sponsored by: BigFix If your IT fails, you're out of business - or worse. Arm your enterprise with BigFix, the single converged IT security and operations engine. BigFix enables continuous discovery, assessment, remediation, and enforcement for complex and distributed IT environments in real-time from a single console. Think what's next. Think BigFix. http://ad.doubleclick.net/clk;82309979;15562032;o?http://www.bigfix.com/ITNext/ ---------------------------------------------------------------------------
Current thread:
- HIPAA and endpoint certification Jarrod Frates (Feb 26)
- RE: HIPAA and endpoint certification Eggleston, Mark (Feb 26)
- Re: HIPAA and endpoint certification Jarrod Frates (Feb 26)
- RE: HIPAA and endpoint certification Eggleston, Mark (Feb 26)