1

In the medical/pharmaceutical space as part of legal operating requirements, everyone has to comply with HIPAA standards ( http://health.state.tn.us/hipaa/ ) for moving personal medical information around. This means that, for example, you'd have to encrypt any email communication sent out with identifiable personal information.

Suppose Company X has created a doctor-facing suite of apps which has been locked down on a specially-provided tablet with MAAS360. The apps themselves go through a web portal which is also readily accessible online but not publicly advertised. If the web portal is not https:// secured, my concern is that this suite may not be complying with HIPAA in protecting patient data when doctors use it.

My questions are:

  1. If a system is not using https but is using some sort of non-https encryption later in the process, is that still secure? (my guess is no?)
  2. ... is that secure enough for HIPAA?
  3. ... are HIPAA security requirements reasonable requirements, or are they bureaucratic nonsense intended to give the illusion of security?
sharedphysics
  • 103
  • 1
  • 1
  • 4
  • 2
    I'm not an expert on HIPAA, so I can't give you an informed answer on the last two questions. However, the existence of a publicly available (even if not advertised) portal that handles sensitive data over an unencrypted connection should raise more than a few red flags. It could be the case that the data is encrypted on the client first, before being transmitted. This way, a passive listener may not be able to read the data, but that's only one aspect of the security afforded by https. –  Mar 05 '15 at 02:38
  • Are you telling us that the data sent over the web are encrypted, but not with TLS, or that the data are not encrypted during transmission? (Please edit your question rather than answering with a comment.) Also, note that encryption is *not* enough; authentication is also needed. – Bob Brown Mar 05 '15 at 03:22
  • 3. The HIPAA security requirements are at least mostly reasonable. – Bob Brown Mar 05 '15 at 03:22

1 Answers1

3
  1. If it's not encrypted, it's not compliant. It is possible to use plain HTTP if it's always over a VPN, for example, but that doesn't sound like the case here.
  2. More details are needed to properly answer this.
  3. HIPAA is in the right kind of thinking, I believe. It specifies good practices, not specific technology. Of course there's always room for folks to fill just about any requirement with bureaucratic nonsense, but HIPAA doesn't need it to have its requirements met.
Jeff Ferland
  • 38,090
  • 9
  • 93
  • 171