If I'm not mistaken, Denial of Service (DoS) attacks are often targeted at the protocol layer: an attacker only needs the IP address of the "mark" - logon IDs and passwords aren't necessary to commence a DoS attack. I guess a payer might therefore want to keep his portal's IP address or URL a "secret," but how long can you hide this kind of stuff from a hacker? There are technical solutions to thwarting DoS attacks, but they are out of scope for our project. It's incumbent upon the payer's network administration staff to solve this problem using existing methods and technologies. The solution is not to place barriers in front of providers, forcing them to go through onerous EDI enrollment processes just so they can submit a HIPAA standard transaction.
When designing the automated Healthcare Registry for electronic partner profiles, we can address fraud only insofar as we can guarantee identity through the use of X.509 technology and CA-signed digital certificates. We can only assure folks that only the entity which "owns" a particular ID (e.g., a NAIC company code, Tax ID or National Provider ID) can create the CPP (electronic partner profile) which purportedly belongs to it. I addressed this issue in Re: Updated CPP Spreadsheet and Model Diagram, at http://www.mail-archive.com/routing@wedi.org/msg00575.html. The open-portal concept certainly does not exclude VANs from participating. Sure, VANs have setup considerations for their *own* customers - as do Healthcare clearinghouses. But how often does one sign up for a VAN or Clearinghouse? - probably not too often: you only need the services of one of them (assuming yours can interconnect with other intermediaries and switches). There's nothing in our model to keep a provider from sending all of its standard transactions through its own VAN (or CH), who in turn uses the Healthcare CPP Registry to figure out how to send interchanges to "unknown" payers' open-portals. Likewise, a Healthcare entity may very well host its "open-portal" at a VAN (or CH), and its CPP's EDI Address would simply reflect the address of the intermediary. William J. Kammerer Novannet, LLC. Columbus, US-OH 43221-3859 +1 (614) 487-0320 ----- Original Message ----- From: "David Frenkel" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, 28 May, 2002 08:43 PM Subject: RE: TA1 responding to non-participating health care providers The idea of an open portal/gateway to the outside world might open the door for the equivalent of a denial of service attack which if only for security reasons would be a headache. There would have to be a mechanism in place to ensure that whoever is sending the EDI transaction is a legitimate provider. This open portal concept would also knock out any VANs from participating since they all require trading partner pre-setup (for charges). Regards, David Frenkel Business Development GEFEG USA Global Leader in Ecommerce Tools www.gefeg.com 425-260-5030