ATM and VPN's

Kent Dallas kdallas at INTELISPAN.NET
Tue Mar 28 14:09:58 EST 2000


Paul,

Are you saying that HIPAA prevents healthcare providers from using POTS?
Even for voice? Or is it somehow determined that "voice" is secure enough,
just not data?  And I guess they can't use (unecrypted) fax either?  If so,
I disagree...

Based on my quick review, I found that HIPAA "identified several high-level
concepts on which the standard is based:" one of which is:

"By definition, if a system or communications between two systems, were
implemented with technology(s) meeting standards in a general system
security framework (Identification and Authentication; Authorization and
Access Control; Accountability; Integrity and Availability; Security of
Communication; and Security Administration.) that system would be
essentially secure."

[reference http://aspe.os.dhhs.gov/admnsimp/nprm/sec05.htm]

Notice that it does not mention privacy, confidentiality, or encryption.

And further down, it specifically says:

"When using open networks, some form of encryption should be employed. The
utilization of less open systems/networks such as those provided by a
value-added network (VAN) or private-wire arrangement provides sufficient
access controls to allow encryption to be an optional feature. These
controls would be important because of the potential for compromise of
information over open systems such as the Internet or dial-in lines"

[reference http://aspe.os.dhhs.gov/admnsimp/nprm/sec09.htm]

This section goes on to describe that you can have EITHER access control or
encryption, but that both are not required.

I am not a HIPAA expert, so if I am mis-interpreting, please let me know.

Kent Dallas

-----Original Message-----
From: Tobia,Paul [mailto:PTOBIA at CERNER.COM]
Sent: Tuesday, March 28, 2000 12:14 PM
To: VPN at SECURITYFOCUS.COM
Subject: Re: ATM and VPN's


The current draft HIPAA provisions regarding the security of electronic
healthcare information state that a POTS line is not secure and requires
encryption.  It is unclear the opinion on leased lines or any other
"managed" networks, and will hopefully be defined by the time the final
ruling comes out.  It's not a law or regulation (yet) but it looks like
encyption (and VPNs) will play a big part in electronic healthcare
transactions in the next 3 years.

-Paul

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Paul R. Tobia, Security Consulting Engineer
Cerner Corporation
What is the concept of defense: The parrying
of a blow. What is its characteristic
feature: Awaiting the blow.
                     -On War, C.V.Clausewitz

> -----Original Message-----
> From: Bennett Todd [mailto:bet at RAHUL.NET]
> Sent: Monday, March 27, 2000 12:22 PM
> To: VPN at SECURITYFOCUS.COM
> Subject: Re: ATM and VPN's
>
>
> 2000-03-21-03:59:20 Franco Sabaris, Javier:
> > If you don't trust your ATM carrier, I can't see why you should
> > trust your voice carrier, or your point to point circuits
> > provider. So, following the same idea, you should encrypt
> > every information (data or voice) that travels outside your
> > buildings. Isn't it a bit paranoic?
>
> Maybe so, maybe not.
>
> If you care about security in the face of determined attacks by
> knowlegeable attackers, then you protect data connections with
> encryption whether they're going over the general internet, an ATM
> link, or a dialup connection over a voice line.
>
> And if you are seriously concerned about the security of a
> piece of voice traffic, you don't discuss it over the phone;
> too many unscrupulous or even amoral people are tapping all
> telecommunications these days. That's why the "encryption" in every
> digital cellphone is deliberately crippled.
>
> There's a difference, though. People can, if they wish to, think
> about the security of specific comments and avoid speaking
> insecurely on the phone. People like to trust that computer
> connections are suitably secure for any traffic, and using VPNs over
> all telecommunication links we can give them that security.
>
> -Bennett
>

VPN is sponsored by SecurityFocus.COM

VPN is sponsored by SecurityFocus.COM




More information about the VPN mailing list