I posted on SMT a while ago that I didn't think DropChute was HIPAA-compliant because someone who was using DropChute said that once they set it up it was automatic. They transferred the encryption keys and then all they had to do was drag and drop the files to the recipient's icon and they appeared on the other computer, automatically decrypted. HIPAA specifies, as far as I know, that there must be user level permissions and individual user authentication in place on workstations that deal with confidential data. Users also must be automatically logged out by the system after an appropriate amount of inactivity.
Maybe the HIPAA regs changed since I last saw them but as far as I know the way that DropChute deals with file transfers isn't compliant. Yes, the encryption component required by the regs may be in place (see below), but this implementation leaves out the user authentication component and the time-out component. Everyone with access to the computer where DropChute is installed has access to your files.
DropChute is authenticating the machine, not the user. If that machine is stolen, the new user has access to your files.
A better and more secure (not to mention HIPAA-compliant) implementation for DropChute would be for it to go ahead and transfer the files, but not decrypt them with the stored key until a user is there to supply the password to unlock the key.
I suppose you could make DropChute HIPAA-compliant from the authentication/time-out perspective if you use disk encryption software like Scramdisk to create an encrypted drive out of a portion of your hard drive. You'd have to install DropChute there. As long as DropChute decrypted the sent files to the Scramdisk drive you should be okay. Scramdisk would lock unauthorized users out of DropChute and it can also be set to encrypt itself after a time of inactivity.
After reading through the manual a little, I notice that unless you are using the Digital Certificate options you may also be open to a man-in-the-middle attack that will allow someone to sit in between you and the recipient and decrypt everything you send.
I found this to be a little concerning on page 3-70 in regard to Digital Certificates:
quote:
Note: When you request your certificate from VeriSign and others, they will ask if you want a certificate with Low, Medium, or High level of security. In order to use your certificate with DropChute, you must request “Low security.” This type of certificate lets DropChute access and use the certificate without manual intervention.
Page 3-72 talks about key sizes:
quote:
The Microsoft cryptographic service provider (CSP) uses 512-bit public/private keys and 40 bit session keys. There is also an enhanced version available on Windows NT that supplies 1024-bit public/private keys and 128-bit session keys.
In order to be HIPAA compliant you need to have at least a 128-bit session key. Let's hope the enhanced version of the CSP is not only limited to Windows NT.
In light of this, I would probably feel safer encrypting my files with a HIPAA-compliant third-party application (like PGP or my own MEP) and then sending them through DropChute as encrypted files, with or without DropChute's security engaged. That way you know you're safe.
If I've glazed anyone's eyes over with this long rambling post please ask questions about what is unclear. 
Mike DeTuri
DISCLAIMER: I have written a HIPAA-compliant encryption program called MEP. Please take my criticism of DropChute and my opinions about it's security with a grain of salt and do your own investigation. 
P.S.--Margie, the manual also said that you can get the crypto components by upgrading Internet Explorer to 4.0 or later. What version of IE is your client using?
[ 02-06-2002: Message edited by: Mike ]
