Crawford Rainwater wrote:
Found from a TechRepublic email, was wondering folks thoughtsWell, if it will get you consulting gigs, it's going to be worth a fortune.
on it?
The new HIPAA security regs came out today. They contain no earthshaking technical requirements, but they do have one suprising expansion, they cover all data whether in transmission or in storage no matter where the physical location. The money comes in because everyone is going to have to perform security audits and provide staff training and documentation of all technical decisions and auditing activities......
So for example, encryption during transmission is called 'addressable', which means you don't have to do it, but you have to explain why you don't have to do it, and this means from one server to one sitting right beside on a dedicated wire! I.e., it's easily explainable why you don't have to encrypt it, you just have to keep a official book around with that explanation in it referencing the appropriate security risk analysis you did referenced to the regulation.
