Re: Newbie naive question, perhaps - - be kind

"Tom McCune" <news1@DELETE_THISmccune.cc> wrote in message
news:R5s4f.48681$Xl2.23425@twister.nyroc.rr.com...

>
> I'm a psychologist in a state psychiatric center. My
> understanding is that
> the server used for PHI is not encrypted, but instead
> meets HIPPA
> requirements by its authentication requirements. We
> cannot store any PHI on
> our local drives, or other network drives.

If what you say is literally true, it's yet another case of
"the Emperor's new clothes." If you're transmitting
plaintext over a party-line network (and who isn't), anyone
with a cheap computer can sniff the packets and capture the
data. The fact that they only have to look a traffic going
to one server makes it that much easier. There are
technical weapons available to combat this problem
(encrypted VPNs to the server, for example).

If the compromise of patient information could get you in
legal hot water (assume it will), you should really look
into this in more detail. Don't trust your practice to a
security design by some snake-oil salesman. Down that road
lies great sorrow. Would you put a bank vault door on a
cardboard shack? Would you pay armed guards to protect your
business office and hire an illegal alien to carry your
money to the bank? Use your common sense to evaluate what
you're told. Security is complicated, but not generally
incomprehensible or even counterintuitive.
Received on Mon Oct 17 20:48:24 2005