Printable View
I read in some presentation that des, 3 des, aes are all acceptable by hipaa but not RSA.
Is it so? Why?
I am looking for the least complex algo that I should use if I were to pass HIPAA compliance. I am sending some data using sockets to my internent server from PDAs and mobile phones using j2ME.
I'm not sure if that's true, but it's ridiculous if it is. The congressmen who wrote HIPAA should read "Cracking DES" by the EFF.
You may have already read through this one but in case you haven't:
An Introductory Resource Guide for Implementing the HIPAA Security Rule
Also if it is possible that people from outside the US could receive your data you may want to look into Safe Harbor as well.
My work has only been related to sending out data for testing purposes so I only had to worry about making sure the actual data itself was "scrambled". Not something like you appear to be doing.
If I understand what you are doing... your process falls under the Privacy Regulations of the HIPAA Guidelines.
Are you transmitting "identifiable Patient Health Information"?
Are you also storing it on the server?
The actual regulations, although faily long is also VERY grey. It says the data needs to be secured but is not specific on what method to use.
Until it is tested in court no one will know for sure. What I have seen in the industry so far is any decent encryption method is OK and many of the ones you mentioned are being utilized.
I know this does not totally answer your question but if you are a Healthcare organization you should have a Privacy Officer, he/she should be able to give you more direction.
Any time I have to do anything with patient data I always run it past our Privacy Officer. Just to cover my butt :)
m2
EFF only cracked a 56bit key.Quote:
Originally posted here by Jareds411
I'm not sure if that's true, but it's ridiculous if it is. The congressmen who wrote HIPAA should read "Cracking DES" by the EFF.
HIPAA can use any encryption that uses atleast a 128bit symmetric key or 1024bit asymmetric key.