Uh-oh. I spot a number of issues here. First off, if you concern is whether
or not you are HIPAA compliant for not using encryption, it is too soon to
know for sure - there is no final security regulation out. But from the
standpoint of risk management, this is very inappropriate. Home PCs as
workstations, maybe, but ONLY under strict policy controls which include
prohibitions against PC uses which could compromise data security - that's
more important that encryption, if I had to rank them. (Using Hotmail, on
the other hand, seems to be going to the opposite extreme, if anything.) I
can tell you that over the past several months I have been giving talks to
physician practices around the state of Washington (for the medical
association) and this is the kind of practice we red-flag and warn against.
(Let me know off-list if you want more info on the WSMA materials.) This
goes in spades for the advice I give hospital clients, who are even more
information-system dependent and can afford better solutions.
From: John R. Christiansen
Preston | Gates | Ellis LLP
701 Fifth Avenue, Seattle, Washington 98104
*Direct: 206.613.7118 - *Cell: 206.799.9388
* johnc@private
Reader Beware: Internet e-mail is inherently insecure. Unencrypted e-mail
may be accessible to unauthorized viewers, e-mail content may have been
modified or corrupted, and e-mail headers or signatures may incorrectly
identify the sender. If you wish to confirm the contents of this message or
identity of the sender, or wish to arrange for more secure communication
please contact me using a communications channel other than a "reply" to
this e-mail. Thank you.
-----Original Message-----
From: Heidi [mailto:mcps@private]
Sent: Friday, November 30, 2001 8:18 AM
To: CRIME
Subject: CRIME secure mail programs/internet
As I have seen here on the list that some do not recommend that Outlook or
Outlook Express be used for e-mail due to security holes, I would appreciate
recommendations. This would be for people working on home computers, who
have medical information stored on their systems. These are only connected
to a network when they log in to transfer their work to the network. When
the work is transferred they log in using a VPN. Otherwise, they are
stand-alone PCs, which are used by some of the people for their work, as
well as personal internet use. Hotmail is being used on the network end to
send information to the home PCs. The concern here is when these people are
surfing the internet that the medical files would be vulnerable to access,
especially after reading the latest advisory sent below, in relation to
internet explorer and previous postings I have read here on the list about
not using Outlook. This system for these people is fairly new and they are
in the learning stages of file protection, VPN, etc.
Also, does any one in the medical related industry know what the dates are
that we will have to be complaint using encryption on our files, and if
there will be training provided using the required encryption, etc. to meet
the compliance requirements for HIPA? . I have been asked by my employer to
relay any of this information regarding security issues back to them. Thank
you for any help in advance. Heidi
This is the latest advisory I make reference to:
National Infrastructure Protection Center
"Multiple Vulnerabilities in Microsoft Internet Explorer - All Versions"
Assessment 01-028
29 November 2001
You can respond to me individually at mcps@private <mailto:mcps@private> .
Thank you, Heidi Henry
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:36:13 PDT