• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

HIPAA VPN Requirements?

guyver01

guyver01

Lifer
Anyone familiar with the HIPAA Security Requirements? A friend of mine has a client telling him he needs static IPs to comply with HIPAA rules.... I searched the intarweb for HIPAA and found info on HIPAA VPN , but nothing says a static IP is required...

 
static IP is not required. I work in an environment where HIPAA regulations are closely watched, and none of our VPN uses have to have static IP's.
 
I haven't heard or seen anything about a static IP requirement, and I have a friend who's very closely involved with getting a bunch of doctor's offices compliant. I did find out that 802.11b wireless networks are a no-no, it has to be 802.11g or better for the security protocols.
 
HIPAA

If it isn't addressed on this site, you can call them at 1-877-696-6775.

[edit] I honestly would get it from the horses mouth when it involves HIPAA [/edit]
 
Hey tagej, where did you see that 802.11b is a no-no? I would like to see the info, becuase if that is true, then we might be in some serious sh!t here. But I can't imagine them outlawing such a popular networking tool. There is so much software that is desinged to run on it to help with efficiency.
 
Originally posted by: SpazzyChicken
Hey tagej, where did you see that 802.11b is a no-no? I would like to see the info, becuase if that is true, then we might be in some serious sh!t here. But I can't imagine them outlawing such a popular networking tool. There is so much software that is desinged to run on it to help with efficiency.
Click to expand...

An article i read on that said the same thing:


If a covered entity assesses the security risks inherent in transmitting protected health information over wireless networks, it will learn that well-known technical deficiencies in the security features of 802.11b technology likely make the technology inadequate, unless it is enhanced. Required technical safeguards that are not met by standard 802.11b wireless network security features include the requirement to implement unique user identification, encryption and decryption, person and entity authentication, and transmission security. The main reason that these requirements cannot be satisfied by deploying only 802.11b technology is that the encryption protocol used in 802.11b products, called Wired Equivalent Privacy (WEP), is fundamentally flawed. The deficiencies in WEP have been widely publicized.

Because the deficiencies in WEP are serious and well-known, a covered entity risks being deemed to not be in compliance with HIPAA requirements if it relies on WEP alone to protect the confidentiality and integrity of data transmitted over wireless networks.

HIPAA is a generic standard: The final regulations won't address 802.11 or any other specific technology, since Congress does not want to have to update the rule every time there is a technological advance. That being the case, it is suggested, a good-faith attempt to use available security protocols should be sufficient.

 
SpazzyChicken, I think guyver01 got the right idea. You won't find any mention of specific technology or specific implementation in the HIPAA regulations. Instead, the requirements are that certain efforts have to be made to protrect the information etc. The lawyers/HIPAA consultants hired by my friend's company told them that given all the issues with 802.11b, it could be very risky using 802.11b wireless stuff. If something were to happen (lets say some private info gets taken), there could be substantial liability. The company thus chose to go with 802.11g with 802.1x network authentication using EAP. If something happens, they would have a strong defense in court that they took reasonable precautions and took the steps currently available to secure the info.
 
Oh, ok. Whew! I think I must have read what you said wrong. I thought that you had found something that had stated that 802.11b use would be banned or something. We use encryption to protect our data going over the wireless network. WEP sucks!

Thanks for your response guys!
 
Originally posted by: rmrf
static IP is not required. I work in an environment where HIPAA regulations are closely watched, and none of our VPN uses have to have static IP's.
Click to expand...

I second this. Work in a HIPAA compliant division of the State of Georgia.

 
You must log in or register to reply here.

TRENDING THREADS

Back
Top