ATM and VPN's

Kent Dallas kdallas at INTELISPAN.NET
Tue Mar 28 20:29:58 EST 2000


Paul,

It is interesting that we quote the same reference to arrive at different
conclusions, so obviously it is a matter of interpretation.  But let's go
back to your initial post.

Your first sentence was, "the current draft HIPAA provisions regarding the
security of electronic healthcare information state that a POTS line is not
secure and requires encryption", which is inaccurate.  The paragraph, even
in its strongest language, says "should", not "must" or "requires".
Further, you make the jump from "dial-in lines" to POTS.

Your second sentence was, "It is unclear the opinion on leased lines or any
other "managed" networks, and will hopefully be defined by the time the
final ruling comes out", which too, is inaccurate, as the paragraph
referenced specifically addresses value-added networks (VANS) and private
wire arrangements and goes on to say that they, "provide sufficient access
controls to allow encryption to be an optional feature".  I'd say that that
is pretty clear.

And finally, you close with, "It's not a law or regulation (yet) but it
looks like encyption (and VPNs) will play a big part in electronic
healthcare transactions in the next 3 years" which I would agree with, but
would place authentication and access controls higher on the priority list.


The philosophy of "encrypt everything, VPN is cheap" works fine if you are
using other people's money.  In fairness, however, it is a personal opinion,
not a government mandate.  I have yet to hear the argument that encryption
is inexpensive.

And I am disappointed to learn that you don't trust any network provider.
But I tend not to trust consultants, so perhaps we are both a bit paranoid.


Regards,
Kent Dallas

-----Original Message-----
From: Tobia,Paul [mailto:PTOBIA at CERNER.COM]
Sent: Tuesday, March 28, 2000 3:18 PM
To: VPN at SECURITYFOCUS.COM
Subject: Re: ATM and VPN's


Kent,

Fist off let me say that we are interpreting federal regulations that are
not even in finalized form so it is a bit fuzzy.  I am not a lawyer in any
sense of the word and will willingly defer to people who have more
experience interpreting such things.  I appreciate your comments and am glad
for the opportunity to explain my thoughts further.

That being said I took my interpretation from the second paragraph of II. D.
4. Technical Security Mechanisms.
http://aspe.os.dhhs.gov/admnsimp/nprm/sec09.htm

"... When using open networks, some form of encryption should be employed.
The utilization of less open systems/networks such as those provided by a
value-added network (VAN) or private-wire arrangement provides sufficient
access controls to allow encryption to be an optional feature. These
controls would be important because of the potential for compromise of
information over open systems such as the Internet or dial-in lines."

Note that dial-in lines (which I consider to be the entire POTS network) is
in the same classification of an open system as the Internet.

Now it is true that access controls can be implemented in lieu of
encryption, but take a look at the definition of access controls straight
from the proposed regulation itself.
http://aspe.os.dhhs.gov/admnsimp/nprm/sec13.htm

	142.308
	...
	(d) Technical security mechanisms (processes that are put in place
	to guard against unauthorized access to data that is transmitted
	over a communications network).

	(ii) One of the following implementation features:

	(A) Access controls (protection of sensitive communications
	transmissions over open or private networks so that they cannot be
	easily intercepted and interpreted by parties other than the
	intended recipient).

	(B) Encryption.
	...

So if you can develop access controls that protect the information so it
cannot be easily intercepted and interpreted, then you don't need
encryption.  I would contend that by saying POTS is an "open" network as the
Internet is, it is easy to intercept or interpret the information and
requires encryption (or additional access controls that prevent easy
interception and interpretation).

So you also could contend that for just about any network type and you get
back to the ATM and VPN's discussion that started this. :)

I would suggest that information as critical as healthcare information
should be encrypted once it leaves your network (control) regardless of the
network it travels over.  Personally I don't trust any network provider with
that kind of critical information and considering the relatively low cost of
a good transparent VPN solution (or the prevalence of SSL and CAs) it's an
easy decision for me.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Paul R. Tobia, Security Consulting Engineer
Cerner Corporation
What is the concept of defense: The parrying
of a blow. What is its characteristic
feature: Awaiting the blow.
                     -On War, C.V.Clausewitz

> -----Original Message-----
> From: Kent Dallas [mailto:kdallas at intelispan.net]
> Sent: Tuesday, March 28, 2000 1:10 PM
> To: 'Tobia,Paul'; VPN at SECURITYFOCUS.COM
> Subject: RE: ATM and VPN's
>
>
> Paul,
>
> Are you saying that HIPAA prevents healthcare providers from
> using POTS?
> Even for voice? Or is it somehow determined that "voice" is
> secure enough,
> just not data?  And I guess they can't use (unecrypted) fax
> either?  If so,
> I disagree...
>
> Based on my quick review, I found that HIPAA "identified
> several high-level
> concepts on which the standard is based:" one of which is:
>
> "By definition, if a system or communications between two
> systems, were
> implemented with technology(s) meeting standards in a general system
> security framework (Identification and Authentication;
> Authorization and
> Access Control; Accountability; Integrity and Availability;
> Security of
> Communication; and Security Administration.) that system would be
> essentially secure."
>
> [reference http://aspe.os.dhhs.gov/admnsimp/nprm/sec05.htm]
>
> Notice that it does not mention privacy, confidentiality, or
> encryption.
>
> And further down, it specifically says:
>
> "When using open networks, some form of encryption should be
> employed. The
> utilization of less open systems/networks such as those provided by a
> value-added network (VAN) or private-wire arrangement
> provides sufficient
> access controls to allow encryption to be an optional feature. These
> controls would be important because of the potential for compromise of
> information over open systems such as the Internet or dial-in lines"
>
> [reference http://aspe.os.dhhs.gov/admnsimp/nprm/sec09.htm]
>
> This section goes on to describe that you can have EITHER
> access control or
> encryption, but that both are not required.
>
> I am not a HIPAA expert, so if I am mis-interpreting, please
> let me know.
>
> Kent Dallas
>

VPN is sponsored by SecurityFocus.COM




More information about the VPN mailing list