Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: HIPAA Requires Encryption?

From: "SCHALIP, MICHAEL" <mschalip () CNM EDU>
Date: Thu, 26 Aug 2010 21:33:45 -0600
Doesn't the question of "should we encrypt" vs "do we have to encrypt" with ANY kind of data, (HIPAA, or any other) 
also depend on the state of the data?  Is the data "at rest" and other protections are already in place?.....or is the 
data "in transit" and open? (ie, being e-mailed or copied across WAN links?).....or is the data "in use", and still 
protected because there's an authorized user monitoring the screen...??

I used to deal with highly sensitive data and for us, it always came down to "....it depends...".  Policy always had to 
come down to the circumstances behind the how, why, where, and when associated with the use of the data....trying to 
adhere to a "one policy fits all" situation was a losing proposition....

Just my $.02.....

M

________________________________
From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Ozzie Paez 
[ozpaez () SPRYNET COM]
Sent: Thursday, August 26, 2010 9:19 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] HIPAA Requires Encryption?

Hey Matthew,
HIPAA does not require it, but any reasonable cost estimate will show that it is worth it.  The risks and costs of 
dealing with unencrypted lost data is so much higher that it is a risk not worth taking, particularly if you already 
have the infrastructure in place.  Hope it helps,
Ozzie Paez
SSE/SAIC
303-332-5363

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Matthew 
Link
Sent: Thursday, August 26, 2010 2:19 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] HIPAA Requires Encryption?


Very recently, I inherited the job of focusing information security efforts.  In the process of upgrade of a SQL 
server, a question has arisen regarding the provision in HIPAA (Addressable) to encrypt EPHI at rest on both the server 
and the backup media.  It does come at some additional cost, though it's manageable.  Before proceeding, however, I 
thought I'd ask if anyone has suggestions.


Thanks,

--Matthew Link.

  Director, User Services

  Information Services, UCM

  660-543-8063

  link () ucmo edu

--
This message has been scanned for viruses and
dangerous content by MailScanner<http://www.mailscanner.info/>, and is
believed to be clean.

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
Previous By Date Next
Previous By Thread Next

Current thread: