Home page logo

basics logo Security Basics mailing list archives

Re: HIPAA and endpoint certification
From: "Jarrod Frates" <jfrates.ml () gmail com>
Date: Mon, 26 Feb 2007 08:25:14 -0800

On 2/26/07, Eggleston, Mark <meggleston () healthpart com> wrote:
For additional information, see the following page which not only offers
the rule itself, but also a recently released guidance document on
remote connectivity: http://www.cms.hhs.gov/SecurityStandard/

Thank you for this reference.  This is going to be very useful in
explaining the requirements to those who have questions.

As far as a specific reference, I would direct you to the rules
"technical safeguards" section; specifically 164.312(d) "Person or
Entity Authentication" which states "Implement procedures to verify that
a person or entity seeking access to electronic protected health
information is the one claimed."

I ran across this section last night when reviewing 45 CFR to
determine what they had to say at the letter, and this was after
finding a reference to the Federal Register where HHS published a
mention that they explicitly removed the proposed regulations
specifying exact security requirements due to the changing nature of
the industry.  However, I was concerned that I was not seeing the
entire picture, as I have in the past found that what may be vague in
one CFR is specified exactly in another, sometimes located in an
entirely different title.

I'll be pressing for use of client-side certificates wherever
possible, but since our PKI isn't up yet (and we're probably a year or
more off of a full-scale implementation) and the wireless project is
moving forward rapidly, we need to be fully aware of the options.
Jarrod Frates

This list is sponsored by: BigFix

If your IT fails, you're out of business - or worse. Arm your enterprise with BigFix, the single converged IT security and operations engine. BigFix enables continuous discovery, assessment, remediation, and enforcement for complex and distributed IT environments in real-time from a single console. Think what's next. Think BigFix.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]