Margie

There are many aspects to the HIPAA regulations.

We satisfy the subset of the HIPAA regulations which relate to the movement of HIPAA sensitive data through the Internet. It is the responsibility of the sender and the receiver to protect that data that is resident on their machines, not DropChute or HyperSend. The fact that someone could gain access to a machine does not invalidate DropChute or HyperSend as a solution, because if they gain access to a machine, they have access to the data on that machine - so the part of HIPAA covering security for that local data has already been compromised BEFORE either DropChute or HyperSend come into the picture.

The user authentication and time out components that he speaks of deal with local network issues not HyperSend or DropChute.

I hope that helps!

Jeff

http://www.mtchat.com/cgi-bin/ultimatebb.cgi?ubb=get_topic&f=39&t=000263

I agree with everything he said up to this point:

"...because if they gain access to a machine, they have access to the data on that machine - so the part of HIPAA covering security for that local data has already been compromised BEFORE either DropChute or HyperSend come into the picture."

In a properly implemented solution, someone can gain access to your machine and still not have access to your data. The way you accomplish this is with encryption. You encrypt the data you want to keep secret, now you can give me your machine and your data will be safe. Only users with access to the password can get to the encrypted data. That is one way to ensure user-level authentication.

When one authenticates the machine, like DropChute does, there is no user-level authentication. DropChute checks to make sure the data is going to the right machine, but then doesn't check to verify who is sitting in front of that machine before decrypting the data. A tech working on your computer is the same as you, as far as DropChute is concerned. Here's a sample scenario:

A tech takes my DropChute-enabled computer in for repairs. He fixes whatever is wrong with the computer. He connects it to the Internet to make sure everything is fine in that respect. The next thing he knows DropChute pops up a message saying that he has just received new files. He looks in his download directory, or whatever DropChute calls it, and sees the decrypted files you sent that were intended for my eyes only.

That's the security breach that machine-level authentication allows. It has nothing to do with the data stored on the computer when someone else gains access. That previously stored data can easily be encrypted and secured. It's the new data coming in, which DropChute automatically decrypts, that creates the problem.

"The user authentication and time out components that he speaks of deal with local network issues not HyperSend or DropChute."

In light of the foregoing information I don't see how this can be accurate. For one thing, if you are transferring confidential files via the Internet that is, for all intents and purposes, your local network.

HIPAA doesn't say that you need to authenticate users and time out their access only if you are on a network. Unless the guidelines have changed, these regulations are in effect for all computers that store confidential patient information, network or not. Wherever there is confidential data there must be some form of protection in place to prevent unauthorized access.

This is one of the reasons that I feel disk encryption like Scramdisk is an essential part of HIPAA compliance.

Mike DeTuri

[ 02-14-2002: Message edited by: Mike ]