Security Basics mailing list archives
Re: HIPAA and endpoint certification
From: "Jarrod Frates" <jfrates.ml () gmail com>
Date: Mon, 26 Feb 2007 08:25:14 -0800
On 2/26/07, Eggleston, Mark <meggleston () healthpart com> wrote:
For additional information, see the following page which not only offers the rule itself, but also a recently released guidance document on remote connectivity: http://www.cms.hhs.gov/SecurityStandard/
Thank you for this reference. This is going to be very useful in explaining the requirements to those who have questions.
As far as a specific reference, I would direct you to the rules "technical safeguards" section; specifically 164.312(d) "Person or Entity Authentication" which states "Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed."
I ran across this section last night when reviewing 45 CFR to determine what they had to say at the letter, and this was after finding a reference to the Federal Register where HHS published a mention that they explicitly removed the proposed regulations specifying exact security requirements due to the changing nature of the industry. However, I was concerned that I was not seeing the entire picture, as I have in the past found that what may be vague in one CFR is specified exactly in another, sometimes located in an entirely different title. I'll be pressing for use of client-side certificates wherever possible, but since our PKI isn't up yet (and we're probably a year or more off of a full-scale implementation) and the wireless project is moving forward rapidly, we need to be fully aware of the options. -- Jarrod Frates GAWN --------------------------------------------------------------------------- This list is sponsored by: BigFixIf your IT fails, you're out of business - or worse. Arm your enterprise with BigFix, the single converged IT security and operations engine. BigFix enables continuous discovery, assessment, remediation, and enforcement for complex and distributed IT environments in real-time from a single console. Think what's next. Think BigFix.
http://ad.doubleclick.net/clk;82309979;15562032;o?http://www.bigfix.com/ITNext/ ---------------------------------------------------------------------------
Current thread:
- HIPAA and endpoint certification Jarrod Frates (Feb 26)
- RE: HIPAA and endpoint certification Eggleston, Mark (Feb 26)
- Re: HIPAA and endpoint certification Jarrod Frates (Feb 26)
- RE: HIPAA and endpoint certification Eggleston, Mark (Feb 26)