ATM and VPN's

Tobia,Paul PTOBIA at CERNER.COM
Tue Mar 28 15:17:39 EST 2000 

Kent,

Fist off let me say that we are interpreting federal regulations that are
not even in finalized form so it is a bit fuzzy.  I am not a lawyer in any
sense of the word and will willingly defer to people who have more
experience interpreting such things.  I appreciate your comments and am glad
for the opportunity to explain my thoughts further.

That being said I took my interpretation from the second paragraph of II. D.
4. Technical Security Mechanisms.
http://aspe.os.dhhs.gov/admnsimp/nprm/sec09.htm

"... When using open networks, some form of encryption should be employed.
The utilization of less open systems/networks such as those provided by a
value-added network (VAN) or private-wire arrangement provides sufficient
access controls to allow encryption to be an optional feature. These
controls would be important because of the potential for compromise of
information over open systems such as the Internet or dial-in lines."

Note that dial-in lines (which I consider to be the entire POTS network) is
in the same classification of an open system as the Internet.

Now it is true that access controls can be implemented in lieu of
encryption, but take a look at the definition of access controls straight
from the proposed regulation itself.
http://aspe.os.dhhs.gov/admnsimp/nprm/sec13.htm

	142.308
	...
	(d) Technical security mechanisms (processes that are put in place
	to guard against unauthorized access to data that is transmitted
	over a communications network).

	(ii) One of the following implementation features:

	(A) Access controls (protection of sensitive communications
	transmissions over open or private networks so that they cannot be
	easily intercepted and interpreted by parties other than the
	intended recipient).

	(B) Encryption.
	...

So if you can develop access controls that protect the information so it
cannot be easily intercepted and interpreted, then you don't need
encryption.  I would contend that by saying POTS is an "open" network as the
Internet is, it is easy to intercept or interpret the information and
requires encryption (or additional access controls that prevent easy
interception and interpretation).

So you also could contend that for just about any network type and you get
back to the ATM and VPN's discussion that started this. :)

I would suggest that information as critical as healthcare information
should be encrypted once it leaves your network (control) regardless of the
network it travels over.  Personally I don't trust any network provider with
that kind of critical information and considering the relatively low cost of
a good transparent VPN solution (or the prevalence of SSL and CAs) it's an
easy decision for me.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Paul R. Tobia, Security Consulting Engineer
Cerner Corporation
What is the concept of defense: The parrying
of a blow. What is its characteristic
feature: Awaiting the blow.
                     -On War, C.V.Clausewitz

> -----Original Message-----
> From: Kent Dallas [mailto:kdallas at intelispan.net]
> Sent: Tuesday, March 28, 2000 1:10 PM
> To: 'Tobia,Paul'; VPN at SECURITYFOCUS.COM
> Subject: RE: ATM and VPN's
>
>
> Paul,
>
> Are you saying that HIPAA prevents healthcare providers from
> using POTS?
> Even for voice? Or is it somehow determined that "voice" is
> secure enough,
> just not data?  And I guess they can't use (unecrypted) fax
> either?  If so,
> I disagree...
>
> Based on my quick review, I found that HIPAA "identified
> several high-level
> concepts on which the standard is based:" one of which is:
>
> "By definition, if a system or communications between two
> systems, were
> implemented with technology(s) meeting standards in a general system
> security framework (Identification and Authentication;
> Authorization and
> Access Control; Accountability; Integrity and Availability;
> Security of
> Communication; and Security Administration.) that system would be
> essentially secure."
>
> [reference http://aspe.os.dhhs.gov/admnsimp/nprm/sec05.htm]
>
> Notice that it does not mention privacy, confidentiality, or
> encryption.
>
> And further down, it specifically says:
>
> "When using open networks, some form of encryption should be
> employed. The
> utilization of less open systems/networks such as those provided by a
> value-added network (VAN) or private-wire arrangement
> provides sufficient
> access controls to allow encryption to be an optional feature. These
> controls would be important because of the potential for compromise of
> information over open systems such as the Internet or dial-in lines"
>
> [reference http://aspe.os.dhhs.gov/admnsimp/nprm/sec09.htm]
>
> This section goes on to describe that you can have EITHER
> access control or
> encryption, but that both are not required.
>
> I am not a HIPAA expert, so if I am mis-interpreting, please
> let me know.
>
> Kent Dallas
>
> -----Original Message-----
> From: Tobia,Paul [mailto:PTOBIA at CERNER.COM]
> Sent: Tuesday, March 28, 2000 12:14 PM
> To: VPN at SECURITYFOCUS.COM
> Subject: Re: ATM and VPN's
>
>
> The current draft HIPAA provisions regarding the security of
> electronic
> healthcare information state that a POTS line is not secure
> and requires
> encryption.  It is unclear the opinion on leased lines or any other
> "managed" networks, and will hopefully be defined by the time
> the final
> ruling comes out.  It's not a law or regulation (yet) but it
> looks like
> encyption (and VPNs) will play a big part in electronic healthcare
> transactions in the next 3 years.
>
> -Paul
>
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
> Paul R. Tobia, Security Consulting Engineer
> Cerner Corporation
> What is the concept of defense: The parrying
> of a blow. What is its characteristic
> feature: Awaiting the blow.
>                      -On War, C.V.Clausewitz
>
> > -----Original Message-----
> > From: Bennett Todd [mailto:bet at RAHUL.NET]
> > Sent: Monday, March 27, 2000 12:22 PM
> > To: VPN at SECURITYFOCUS.COM
> > Subject: Re: ATM and VPN's
> >
> >
> > 2000-03-21-03:59:20 Franco Sabaris, Javier:
> > > If you don't trust your ATM carrier, I can't see why you should
> > > trust your voice carrier, or your point to point circuits
> > > provider. So, following the same idea, you should encrypt
> > > every information (data or voice) that travels outside your
> > > buildings. Isn't it a bit paranoic?
> >
> > Maybe so, maybe not.
> >
> > If you care about security in the face of determined attacks by
> > knowlegeable attackers, then you protect data connections with
> > encryption whether they're going over the general internet, an ATM
> > link, or a dialup connection over a voice line.
> >
> > And if you are seriously concerned about the security of a
> > piece of voice traffic, you don't discuss it over the phone;
> > too many unscrupulous or even amoral people are tapping all
> > telecommunications these days. That's why the "encryption" in every
> > digital cellphone is deliberately crippled.
> >
> > There's a difference, though. People can, if they wish to, think
> > about the security of specific comments and avoid speaking
> > insecurely on the phone. People like to trust that computer
> > connections are suitably secure for any traffic, and using VPNs over
> > all telecommunication links we can give them that security.
> >
> > -Bennett
> >
>
> VPN is sponsored by SecurityFocus.COM
>

VPN is sponsored by SecurityFocus.COM

More information about the VPN mailing list