ATM and VPN's

Tobia,Paul PTOBIA at CERNER.COM
Thu Mar 30 15:48:31 EST 2000 

Okay, first off it says "Consulting" in my title but I strictly work for my
company and its corporate business partners and do not hire my services out,
so I do not consider myself a consultant in the classic sense.  I do not
spend "other people's money" in that sense either.  I spend my company's
money and I and a lot of people at my company make sure that I don't spend
money unreasonably.  That's why I fully justify every recommendation for any
purchase that I make.  But I contend that when you are talking about the
personal medical information of an individual, reasonable costs incurred to
make that information more secure and to ensure that person's privacy are
well worth it.

Second, I apologize if any network or telecommunications providers took
offense when I said I do not "trust" them.  I meant trust in the security
sense and do not imply that any providers are underhanded, despicable or not
worthy of my business in any way.  I stand by my opinion (it's not a law or
proposed law) that if I am responsible to electronically transmit personally
identifiable health information across a network that I do not have full
physical and administrative control over, then I will use encryption to
prevent non-authorized people from accessing that information in every
single case.

Third, I gladly acknowledge that my first posting to this list was hasty and
downright inaccurate.  That's why I took the time to explain my reasoning in
the second post, and I appreciate Kent calling me to task to go into detail.
Please disregard my hasty generalizations of the first post.

Finally I want to again stress that we are talking about the guidelines
attached to proposed regulations that can be overridden by Congress at any
time.  That means that nothing is written in stone (yet), and could change
before it has the force of US law behind it.  Also everything is open to
interpretation, and again, I am no means an expert in federal regulations or
law.  That being said, let's take one more look at the guideline that both
Kent and I quoted:

"... When using open networks, some form of encryption should be employed.
The utilization of less open systems/networks such as those provided by a
value-added network (VAN) or private-wire arrangement provides sufficient
access controls to allow encryption to be an optional feature. These
controls would be important because of the potential for compromise of
information over open systems such as the Internet or dial-in lines."

The first sentence clearly states that open networks *should* (not must or
have to) use encryption.  Since the regulation itself states that either
encryption, or access controls *must* be used in all network transmissions
of protected information, I contend that the guideline does not believe that
the access controls present on open networks are adequate.

The final sentence states that access controls present in private-wire and
VAN arrangements are good enough to make encryption optional in *contrast*
to such open networks like the Internet and dial-in lines.  In other words
dial-in lines do not have adequate access controls and should have
encryption.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Paul R. Tobia, Security Consulting Engineer
Cerner Corporation
What is the concept of defense: The parrying
of a blow. What is its characteristic
feature: Awaiting the blow.
                     -On War, C.V.Clausewitz

> -----Original Message-----
> From: Kent Dallas [mailto:kdallas at INTELISPAN.NET]
> Sent: Tuesday, March 28, 2000 7:30 PM
> To: VPN at SECURITYFOCUS.COM
> Subject: Re: ATM and VPN's
>
>
> Paul,
>
> It is interesting that we quote the same reference to arrive
> at different
> conclusions, so obviously it is a matter of interpretation.
> But let's go
> back to your initial post.
>
> Your first sentence was, "the current draft HIPAA provisions
> regarding the
> security of electronic healthcare information state that a
> POTS line is not
> secure and requires encryption", which is inaccurate.  The
> paragraph, even
> in its strongest language, says "should", not "must" or "requires".
> Further, you make the jump from "dial-in lines" to POTS.
>
> Your second sentence was, "It is unclear the opinion on
> leased lines or any
> other "managed" networks, and will hopefully be defined by
> the time the
> final ruling comes out", which too, is inaccurate, as the paragraph
> referenced specifically addresses value-added networks (VANS)
> and private
> wire arrangements and goes on to say that they, "provide
> sufficient access
> controls to allow encryption to be an optional feature".  I'd
> say that that
> is pretty clear.
>
> And finally, you close with, "It's not a law or regulation
> (yet) but it
> looks like encyption (and VPNs) will play a big part in electronic
> healthcare transactions in the next 3 years" which I would
> agree with, but
> would place authentication and access controls higher on the
> priority list.
>
>
> The philosophy of "encrypt everything, VPN is cheap" works
> fine if you are
> using other people's money.  In fairness, however, it is a
> personal opinion,
> not a government mandate.  I have yet to hear the argument
> that encryption
> is inexpensive.
>
> And I am disappointed to learn that you don't trust any
> network provider.
> But I tend not to trust consultants, so perhaps we are both a
> bit paranoid.
>
>
> Regards,
> Kent Dallas
>
> -----Original Message-----
> From: Tobia,Paul [mailto:PTOBIA at CERNER.COM]
> Sent: Tuesday, March 28, 2000 3:18 PM
> To: VPN at SECURITYFOCUS.COM
> Subject: Re: ATM and VPN's
>
>
> Kent,
>
> Fist off let me say that we are interpreting federal
> regulations that are
> not even in finalized form so it is a bit fuzzy.  I am not a
> lawyer in any
> sense of the word and will willingly defer to people who have more
> experience interpreting such things.  I appreciate your
> comments and am glad
> for the opportunity to explain my thoughts further.
>
> That being said I took my interpretation from the second
> paragraph of II. D.
> 4. Technical Security Mechanisms.
> http://aspe.os.dhhs.gov/admnsimp/nprm/sec09.htm
>
> "... When using open networks, some form of encryption should
> be employed.
> The utilization of less open systems/networks such as those
> provided by a
> value-added network (VAN) or private-wire arrangement
> provides sufficient
> access controls to allow encryption to be an optional feature. These
> controls would be important because of the potential for compromise of
> information over open systems such as the Internet or dial-in lines."
>
> Note that dial-in lines (which I consider to be the entire
> POTS network) is
> in the same classification of an open system as the Internet.
>
> Now it is true that access controls can be implemented in lieu of
> encryption, but take a look at the definition of access
> controls straight
> from the proposed regulation itself.
> http://aspe.os.dhhs.gov/admnsimp/nprm/sec13.htm
>
> 	142.308
> 	...
> 	(d) Technical security mechanisms (processes that are
> put in place
> 	to guard against unauthorized access to data that is transmitted
> 	over a communications network).
>
> 	(ii) One of the following implementation features:
>
> 	(A) Access controls (protection of sensitive communications
> 	transmissions over open or private networks so that
> they cannot be
> 	easily intercepted and interpreted by parties other than the
> 	intended recipient).
>
> 	(B) Encryption.
> 	...
>
> So if you can develop access controls that protect the
> information so it
> cannot be easily intercepted and interpreted, then you don't need
> encryption.  I would contend that by saying POTS is an "open"
> network as the
> Internet is, it is easy to intercept or interpret the information and
> requires encryption (or additional access controls that prevent easy
> interception and interpretation).
>
> So you also could contend that for just about any network
> type and you get
> back to the ATM and VPN's discussion that started this. :)
>
> I would suggest that information as critical as healthcare information
> should be encrypted once it leaves your network (control)
> regardless of the
> network it travels over.  Personally I don't trust any
> network provider with
> that kind of critical information and considering the
> relatively low cost of
> a good transparent VPN solution (or the prevalence of SSL and
> CAs) it's an
> easy decision for me.
>
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
> Paul R. Tobia, Security Consulting Engineer
> Cerner Corporation
> What is the concept of defense: The parrying
> of a blow. What is its characteristic
> feature: Awaiting the blow.
>                      -On War, C.V.Clausewitz
>
> > -----Original Message-----
> > From: Kent Dallas [mailto:kdallas at intelispan.net]
> > Sent: Tuesday, March 28, 2000 1:10 PM
> > To: 'Tobia,Paul'; VPN at SECURITYFOCUS.COM
> > Subject: RE: ATM and VPN's
> >
> >
> > Paul,
> >
> > Are you saying that HIPAA prevents healthcare providers from
> > using POTS?
> > Even for voice? Or is it somehow determined that "voice" is
> > secure enough,
> > just not data?  And I guess they can't use (unecrypted) fax
> > either?  If so,
> > I disagree...
> >
> > Based on my quick review, I found that HIPAA "identified
> > several high-level
> > concepts on which the standard is based:" one of which is:
> >
> > "By definition, if a system or communications between two
> > systems, were
> > implemented with technology(s) meeting standards in a general system
> > security framework (Identification and Authentication;
> > Authorization and
> > Access Control; Accountability; Integrity and Availability;
> > Security of
> > Communication; and Security Administration.) that system would be
> > essentially secure."
> >
> > [reference http://aspe.os.dhhs.gov/admnsimp/nprm/sec05.htm]
> >
> > Notice that it does not mention privacy, confidentiality, or
> > encryption.
> >
> > And further down, it specifically says:
> >
> > "When using open networks, some form of encryption should be
> > employed. The
> > utilization of less open systems/networks such as those
> provided by a
> > value-added network (VAN) or private-wire arrangement
> > provides sufficient
> > access controls to allow encryption to be an optional feature. These
> > controls would be important because of the potential for
> compromise of
> > information over open systems such as the Internet or dial-in lines"
> >
> > [reference http://aspe.os.dhhs.gov/admnsimp/nprm/sec09.htm]
> >
> > This section goes on to describe that you can have EITHER
> > access control or
> > encryption, but that both are not required.
> >
> > I am not a HIPAA expert, so if I am mis-interpreting, please
> > let me know.
> >
> > Kent Dallas
> >
>
> VPN is sponsored by SecurityFocus.COM
>

VPN is sponsored by SecurityFocus.COM

More information about the VPN mailing list