Uh-oh. I spot a number of issues here. First off, if you concern is whether or not you are HIPAA compliant for not using encryption, it is too soon to know for sure - there is no final security regulation out. But from the standpoint of risk management, this is very inappropriate. Home PCs as workstations, maybe, but ONLY under strict policy controls which include prohibitions against PC uses which could compromise data security - that's more important that encryption, if I had to rank them. (Using Hotmail, on the other hand, seems to be going to the opposite extreme, if anything.) I can tell you that over the past several months I have been giving talks to physician practices around the state of Washington (for the medical association) and this is the kind of practice we red-flag and warn against. (Let me know off-list if you want more info on the WSMA materials.) This goes in spades for the advice I give hospital clients, who are even more information-system dependent and can afford better solutions. From: John R. Christiansen Preston | Gates | Ellis LLP 701 Fifth Avenue, Seattle, Washington 98104 *Direct: 206.613.7118 - *Cell: 206.799.9388 * johnc@private Reader Beware: Internet e-mail is inherently insecure. Unencrypted e-mail may be accessible to unauthorized viewers, e-mail content may have been modified or corrupted, and e-mail headers or signatures may incorrectly identify the sender. If you wish to confirm the contents of this message or identity of the sender, or wish to arrange for more secure communication please contact me using a communications channel other than a "reply" to this e-mail. Thank you. -----Original Message----- From: Heidi [mailto:mcps@private] Sent: Friday, November 30, 2001 8:18 AM To: CRIME Subject: CRIME secure mail programs/internet As I have seen here on the list that some do not recommend that Outlook or Outlook Express be used for e-mail due to security holes, I would appreciate recommendations. This would be for people working on home computers, who have medical information stored on their systems. These are only connected to a network when they log in to transfer their work to the network. When the work is transferred they log in using a VPN. Otherwise, they are stand-alone PCs, which are used by some of the people for their work, as well as personal internet use. Hotmail is being used on the network end to send information to the home PCs. The concern here is when these people are surfing the internet that the medical files would be vulnerable to access, especially after reading the latest advisory sent below, in relation to internet explorer and previous postings I have read here on the list about not using Outlook. This system for these people is fairly new and they are in the learning stages of file protection, VPN, etc. Also, does any one in the medical related industry know what the dates are that we will have to be complaint using encryption on our files, and if there will be training provided using the required encryption, etc. to meet the compliance requirements for HIPA? . I have been asked by my employer to relay any of this information regarding security issues back to them. Thank you for any help in advance. Heidi This is the latest advisory I make reference to: National Infrastructure Protection Center "Multiple Vulnerabilities in Microsoft Internet Explorer - All Versions" Assessment 01-028 29 November 2001 You can respond to me individually at mcps@private <mailto:mcps@private> . Thank you, Heidi Henry
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:36:13 PDT