Home page logo

basics logo Security Basics mailing list archives

RE: HIPAA and endpoint certification
From: "Eggleston, Mark" <meggleston () HEALTHPART COM>
Date: Mon, 26 Feb 2007 10:47:57 -0500

HIPAA makes no mention certification of endpoints for the transmission
of PHI (Protected Health Information).  You would however, be following
the intent of the law if you establish authentication and authorization
mechanisms for those wishing to connect to your LAN.  Either
implementation method you mention below would meet the intent of HIPAA's
security rule.

For additional information, see the following page which not only offers
the rule itself, but also a recently released guidance document on
remote connectivity: http://www.cms.hhs.gov/SecurityStandard/ 

As far as a specific reference, I would direct you to the rules
"technical safeguards" section; specifically 164.312(d) "Person or
Entity Authentication" which states "Implement procedures to verify that
a person or entity seeking access to electronic protected health
information is the one claimed."


Mark Eggleston
Manager, Security and Business Continuity
Information Services
Health Partners of Philadelphia, Inc.
(215) 991-4388 
-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Jarrod Frates
Sent: Friday, February 23, 2007 7:47 PM
To: security-basics () securityfocus com
Subject: HIPAA and endpoint certification

I need to get some clarification on the requirements regarding
certification of endpoints in transmission of HIPAA material.  As part
of a wireless project that is beginning soon, we're evaluating the
various EAP types available to us regarding practicality, support
availability, and (of course) regulatory compliance.  While we're
planning on using only EAP types that require a server-side
certificate at a minimum, are there any requirements for the client
side?  It is my understanding that we have to know *who* is connecting
to the network, but is a client-side certificate required for this
purpose, or is it sufficient to authenticate against a user database
of some sort?

Any references to specific code (even at a section level) would be
greatly appreciated.

Jarrod Frates

All the information contained in this electronic communication and
any attachments is intended only for the use of the individual or
entity to which it is addressed. If you are not the intended
recipient, you are hereby notified that you should not disseminate,
distribute or copy any portion of this electronic communication. If
you have received this message in error, please notify the sender
by replying to this email and immediately deleting any and all
copies you may have inadvertently made.

This list is sponsored by: BigFix

If your IT fails, you're out of business - or worse.  Arm your
enterprise with BigFix, the single converged IT security and operations
engine. BigFix enables continuous discovery, assessment, remediation,
and enforcement for complex and distributed IT environments in real-time
from a single console.
Think what's next. Think BigFix.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]