I overheard a long-time hospital client talking to another support vendor today. The hospital’s patient accounting department was attempting to send patient financial and billing data to a third-party biller. The vendor’s normal Web site was down, and they were trying to come up with an emergency fix.
[ RogerGrimes's column is now a blog! Get the latest IT security news from the Security Adviser blog. ]
The pressing problem of the moment was how to securely transmit the data from the hospital to the third party. There are, of course, myriad options. The hospital clerk asked if she could e-mail the data file to the third-party vendor using a password-protected and encrypted Winzip file. The vendor’s response was an emphatic and swift rejection. "Winzip encryption is not covered under HIPAA (Healthcare Insurance Portability Accountability Act) guidelines," said the vendor.
The week before, I heard a similar conversation with a national computer support person telling another client of mine that WEP wireless security isn’t covered under the PCI (Payment Card Industry) Data Security Standard.
I wonder if either vendor ever read the source documents they were referring to? While I can think of better, more secure transport methods than an encrypted Winzip file -- and WEP has certainly been proven to be easily broken -- neither the HIPAA nor PCI standards forbid the use of either technology. With the huge exception of the government's FIPS (Federal Information Processing Standards) rules that nonmilitary government agencies and subcontractors must follow, I rarely see a particular technology specified or singled out in any general regulation.
Unless you’ve read the source documents, you might believe that HIPAA says that a hospital must use 256-bit AES encryption or that WPA2 with smart cards are required to meet PCI wireless standards. Nothing could be further than the truth. If you are a security officer and your company falls under an industry or legislative regulatory guideline, I appeal to you to read it before vendors start quoting bogus information.
For example, many companies are still forced to use (admittedly poor) WEP wireless protection because of incompatible hardware or software. Until they upgrade the necessary components, they're stuck with it. The current PCI DSS specification 1.1 says, and I quote: "Enable WiFi protected access (WPA and WPA2) technology for encryption and authentication when WPA-capable." A previous sentence recommends that card merchants change their WEP encryption keys from their defaults (see PCI DDS section 2.1.1). Clearly, the PCI DSS standard is promoting WPA but understands that some merchants aren't yet in the position to upgrade.
I heard another IT guy talking about how the PCI standard forbids the storage of credit card numbers and how all the vendors storing credit card numbers are "in violation of the act"” First of all, it's a merchant card program requirement, not an act. Acts are generally codified regulatory compliance laws.