From: Howard C. Berkowitz (hcb@gettcomm.com)
Date: Wed Mar 03 2004 - 15:30:48 GMT-3
At 1:13 PM -0500 3/3/04, Scott Morris wrote:
>Time is a very interesting argument in this situation... Although most
>people think of the HIPAA concepts being more towards disclosure and privacy
>concerns.
>
>But for a time argument, how much time does it take to encrypt something
>over a network? How much time does it take even at 14.4k to send a 1-page
>fax? :)
It's less the processing and transmission time than getting a cleared
person to the secure fax, entering keys if necessary, etc.
>
>Interesting concerns, but I think the network would easily win. However,
>the flip side of that argument comes into $$$.
And it's amazingly difficult to get hospitals to spend capital
budget, even when you can demonstrate something will pay quickly for
itself. Often, I see hospitals implementing a network or information
processing capability only because the accreditation, insurers, or
internal risk managers demand it.
>Many places are going
>wireles... There are certainly security concerns there... But even with
>that, if you can afford the toys, IPSec over 802.11 is MUCH faster than
>faxing information.
Wireless in hospitals isn't always as feasible as in other places.
You tend to have a surprising number of RF dead zones caused by
shielded rooms (either for low-level electronic signals like brain
waves, or for radiation), and safety restrictions on radiated power
levels. Hospital-wide restrictions on cell phone use often are
overstated, but they are very real concerns in areas where there is a
current path that bypasses the skin. Luckily, 802.11, partially as a
result of extremely high frequencies, seems to be passing most safety
tests.
>
>If I'm the one sitting on the OR table, I would prefer that the doctors have
>information right then and there rather than watching the stupid thermal fax
>spit out and trying to guess the rest of what it says. :)
>
>Scott
>
>-----Original Message-----
>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>Howard C. Berkowitz
>Sent: Wednesday, March 03, 2004 12:57 PM
>To: 'Group Study (E-mail)'
>Subject: RE: Passwords
>
>At 12:46 PM -0500 3/3/04, Scott Morris wrote:
>>Anything that is sent electronically CAN be sniffed and reassembled.
>>That would be a fax, a jpeg, a pdf, whatever.
>>
>>The bottom line is how much effort it truly takes to do just that.
>>It's simpler (depending on your underlying security architecture) to
>>grab a pdf or jpeg off of a network line than to intercept a fax.
>>
>>BUT. If you want to you may be able to. It just follows the sanity
>thread.
>>
>>Personally, if you want to send something electronically that you think
>>people may intercept, use PGP or S/MIME or some other method of encryption.
>
>At least with medical data covered by HIPAA, one has to think of how much
>time that encryption and decryption may add. See below.
>
>>Again, there's slim CHANCE that it could be intercepted and decoded,
>>but it falls into that category of "what am I sending?" and "Who the
>>hell has that much time on their hands?" :)
>
>There are no simple security decisions. We usually consider the value of
>the information to an unauthorized recipient, the time it will take that
>recipient to get at the information, and the perishability of the
>information. The classic example is that if a military unit sends a firing
>order to an artillery unit that it is to shoot in 3 minutes, with a 2 minute
>time for rounds flying through the air, but the target can't get out of
>range in less than 15 minutes, why not send the order unencrypted? At best,
>the enemy will have time to say prayers.
>
>>
>>So ... The fact that HIPAA says you can fax just says it's not
>>plausible to intercept a fax, not that it's impossible. Be reasonable
>>in your security, think through the process (end to end) of what
>>information you're transmitting and how you are moving it through
>>whatever networks you are moving it through.
>
>One of the specific issues with HIPAA faxing is the information may be
>life-critical and needed with minimum delay. It's not uncommon, for example,
>to have laboratories in small hospitals have a fax link to the emergency
>room, so they can send results as soon as received.
>
>I am familiar with equally life-critical situations when an emergency room
>had to get, for example, information on the prescription drugs an
>unconscious patient was taking, or their allergies, or information on
>critical conditions. Even if there is a risk of disclosure, people forget
>the cost of not making the information available.
>Unfortunately, in medical bureaucracies, you do run into people that are
>more worried about not being sued than saving life.
>
>>
>>You're correct about the web site asking you to type in characters.
>>Although it's not so much protection from being sniffed, but protection
>>against a non-human computer program trolling for information across
>>the ether. Those grid things mess up most OCR type software thereby
>>making it plausible that it will be a human being on the other end.
>>Problems still happen (e.g. that throws off some humans too), which is
>>why most web sites also have a phone number so that you can get
>>interaction to still receive the information.
>>
>>Security is always an interesting philosophy in a network!
>>
>>
>>Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713,
>>CISSP, JNCIS, et al.
>>IPExpert CCIE Program Manager
>>IPExpert Sr. Technical Instructor
>>swm@emanon.com/smorris@ipexpert.net
>>http://www.ipexpert.net
>>
>>
>>-----Original Message-----
>>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>>Joseph D. Phillips
>>Sent: Wednesday, March 03, 2004 12:26 PM
>>To: Group Study (E-mail)
>>Subject: Passwords
>>
>>I have been told by vendors that SSNs can be faxed and still be secure
>>enough for HIPAA.
>>
>>If e-mailing a non-clear-text image of a password is the practical
>>equivalent, I would rather do that.
>>
>>I do notice that many web sites now make you repeat the characters you
>>see embedded in images, before you can navigate further into the web sites.
>>
>>I'm assuming that's how they make sure it's a human being looking at
>>the web page, and not some mechanical device sniffing information as
>>the page is downloaded.
>>
>>_______________________________________________________________________
>>Please help support GroupStudy by purchasing your study materials from:
>>http://shop.groupstudy.com
>>
>>Subscription information may be found at:
>>http://www.groupstudy.com/list/CCIELab.html
>>
>>_______________________________________________________________________
>>Please help support GroupStudy by purchasing your study materials from:
>>http://shop.groupstudy.com
>>
>>Subscription information may be found at:
>>http://www.groupstudy.com/list/CCIELab.html
>
>_______________________________________________________________________
>Please help support GroupStudy by purchasing your study materials from:
>http://shop.groupstudy.com
>
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Thu Apr 01 2004 - 08:15:13 GMT-3