From: Scott Morris (swm@emanon.com)
Date: Wed Mar 03 2004 - 15:13:38 GMT-3
Time is a very interesting argument in this situation... Although most
people think of the HIPAA concepts being more towards disclosure and privacy
concerns.
But for a time argument, how much time does it take to encrypt something
over a network? How much time does it take even at 14.4k to send a 1-page
fax? :)
Interesting concerns, but I think the network would easily win. However,
the flip side of that argument comes into $$$. Many places are going
wireles... There are certainly security concerns there... But even with
that, if you can afford the toys, IPSec over 802.11 is MUCH faster than
faxing information.
If I'm the one sitting on the OR table, I would prefer that the doctors have
information right then and there rather than watching the stupid thermal fax
spit out and trying to guess the rest of what it says. :)
Scott
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Howard C. Berkowitz
Sent: Wednesday, March 03, 2004 12:57 PM
To: 'Group Study (E-mail)'
Subject: RE: Passwords
At 12:46 PM -0500 3/3/04, Scott Morris wrote:
>Anything that is sent electronically CAN be sniffed and reassembled.
>That would be a fax, a jpeg, a pdf, whatever.
>
>The bottom line is how much effort it truly takes to do just that.
>It's simpler (depending on your underlying security architecture) to
>grab a pdf or jpeg off of a network line than to intercept a fax.
>
>BUT. If you want to you may be able to. It just follows the sanity
thread.
>
>Personally, if you want to send something electronically that you think
>people may intercept, use PGP or S/MIME or some other method of encryption.
At least with medical data covered by HIPAA, one has to think of how much
time that encryption and decryption may add. See below.
>Again, there's slim CHANCE that it could be intercepted and decoded,
>but it falls into that category of "what am I sending?" and "Who the
>hell has that much time on their hands?" :)
There are no simple security decisions. We usually consider the value of
the information to an unauthorized recipient, the time it will take that
recipient to get at the information, and the perishability of the
information. The classic example is that if a military unit sends a firing
order to an artillery unit that it is to shoot in 3 minutes, with a 2 minute
time for rounds flying through the air, but the target can't get out of
range in less than 15 minutes, why not send the order unencrypted? At best,
the enemy will have time to say prayers.
>
>So ... The fact that HIPAA says you can fax just says it's not
>plausible to intercept a fax, not that it's impossible. Be reasonable
>in your security, think through the process (end to end) of what
>information you're transmitting and how you are moving it through
>whatever networks you are moving it through.
One of the specific issues with HIPAA faxing is the information may be
life-critical and needed with minimum delay. It's not uncommon, for example,
to have laboratories in small hospitals have a fax link to the emergency
room, so they can send results as soon as received.
I am familiar with equally life-critical situations when an emergency room
had to get, for example, information on the prescription drugs an
unconscious patient was taking, or their allergies, or information on
critical conditions. Even if there is a risk of disclosure, people forget
the cost of not making the information available.
Unfortunately, in medical bureaucracies, you do run into people that are
more worried about not being sued than saving life.
>
>You're correct about the web site asking you to type in characters.
>Although it's not so much protection from being sniffed, but protection
>against a non-human computer program trolling for information across
>the ether. Those grid things mess up most OCR type software thereby
>making it plausible that it will be a human being on the other end.
>Problems still happen (e.g. that throws off some humans too), which is
>why most web sites also have a phone number so that you can get
>interaction to still receive the information.
>
>Security is always an interesting philosophy in a network!
>
>
>Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713,
>CISSP, JNCIS, et al.
>IPExpert CCIE Program Manager
>IPExpert Sr. Technical Instructor
>swm@emanon.com/smorris@ipexpert.net
>http://www.ipexpert.net
>
>
>-----Original Message-----
>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>Joseph D. Phillips
>Sent: Wednesday, March 03, 2004 12:26 PM
>To: Group Study (E-mail)
>Subject: Passwords
>
>I have been told by vendors that SSNs can be faxed and still be secure
>enough for HIPAA.
>
>If e-mailing a non-clear-text image of a password is the practical
>equivalent, I would rather do that.
>
>I do notice that many web sites now make you repeat the characters you
>see embedded in images, before you can navigate further into the web sites.
>
>I'm assuming that's how they make sure it's a human being looking at
>the web page, and not some mechanical device sniffing information as
>the page is downloaded.
>
>_______________________________________________________________________
>Please help support GroupStudy by purchasing your study materials from:
>http://shop.groupstudy.com
>
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
>
>_______________________________________________________________________
>Please help support GroupStudy by purchasing your study materials from:
>http://shop.groupstudy.com
>
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Thu Apr 01 2004 - 08:15:13 GMT-3