HIPAA VPN Requirements?
- Thread starter guyver01
- Start date
static IP is not required. I work in an environment where HIPAA regulations are closely watched, and none of our VPN uses have to have static IP's.
I haven't heard or seen anything about a static IP requirement, and I have a friend who's very closely involved with getting a bunch of doctor's offices compliant. I did find out that 802.11b wireless networks are a no-no, it has to be 802.11g or better for the security protocols.
Hey tagej, where did you see that 802.11b is a no-no? I would like to see the info, becuase if that is true, then we might be in some serious sh!t here. But I can't imagine them outlawing such a popular networking tool. There is so much software that is desinged to run on it to help with efficiency.
- Sep 25, 2000
- 22,135
- 5
- 61
An article i read on that said the same thing:
If a covered entity assesses the security risks inherent in transmitting protected health information over wireless networks, it will learn that well-known technical deficiencies in the security features of 802.11b technology likely make the technology inadequate, unless it is enhanced. Required technical safeguards that are not met by standard 802.11b wireless network security features include the requirement to implement unique user identification, encryption and decryption, person and entity authentication, and transmission security. The main reason that these requirements cannot be satisfied by deploying only 802.11b technology is that the encryption protocol used in 802.11b products, called Wired Equivalent Privacy (WEP), is fundamentally flawed. The deficiencies in WEP have been widely publicized.
Because the deficiencies in WEP are serious and well-known, a covered entity risks being deemed to not be in compliance with HIPAA requirements if it relies on WEP alone to protect the confidentiality and integrity of data transmitted over wireless networks.
HIPAA is a generic standard: The final regulations won't address 802.11 or any other specific technology, since Congress does not want to have to update the rule every time there is a technological advance. That being the case, it is suggested, a good-faith attempt to use available security protocols should be sufficient.
SpazzyChicken, I think guyver01 got the right idea. You won't find any mention of specific technology or specific implementation in the HIPAA regulations. Instead, the requirements are that certain efforts have to be made to protrect the information etc. The lawyers/HIPAA consultants hired by my friend's company told them that given all the issues with 802.11b, it could be very risky using 802.11b wireless stuff. If something were to happen (lets say some private info gets taken), there could be substantial liability. The company thus chose to go with 802.11g with 802.1x network authentication using EAP. If something happens, they would have a strong defense in court that they took reasonable precautions and took the steps currently available to secure the info.
Oh, ok. Whew! I think I must have read what you said wrong. I thought that you had found something that had stated that 802.11b use would be banned or something. We use encryption to protect our data going over the wireless network. WEP sucks!
Thanks for your response guys!
Thanks for your response guys!
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 24K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes Discussion Threads
- Started by Tigerick
- Replies: 20K
-
-
-
Facebook
Twitter