RE: Security Design - PIX or Whatever [7:36677]
Lets not forget politcal concerns when trying do a reasonable level of security. I worked a healthcare provider and boy, you should have heard the Docs squawk about passwords and pin codes for access to the primary LAN/WAN... to the point that admin overruled the IS dept and special *permission* not to use the security procedures... happens every day.. MikeS ' Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=36679t=36677 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Security Design - PIX or Whatever [7:36677]
The only difference is that those organizations (physicians as well), will held accountable for violation of HIPPA and face fines and potentially jail time :-( -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 27, 2002 12:30 PM To: [EMAIL PROTECTED] Subject: RE: Security Design - PIX or Whatever [7:36677] Lets not forget politcal concerns when trying do a reasonable level of security. I worked a healthcare provider and boy, you should have heard the Docs squawk about passwords and pin codes for access to the primary LAN/WAN... to the point that admin overruled the IS dept and special *permission* not to use the security procedures... happens every day.. MikeS ' Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=36684t=36677 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Security Design - PIX or Whatever [7:36677]
don't even get me started on this. I work for an organization that uses employee SSN numbers for validation purposes in a lot of instances. So when I call the Help Desk to complain about e-mail ( an ongoing problem ) I am asked to provide my SSN to the folks there. In these days of rampant and easy identity theft, how smart is it to allow access to a large database of valid SSN's to practically everyone who asks? HIPAA??? isn't that on hold for review? You know, I was reading through one of the drafts and I thought I saw something that floored me - the regulators were stating that multiplexed links such as frame relay and ATM were considered unsecure because different organizations were sharing circuits. The implication was that healthcare organizations would have to move to point to point technologies - most of which end up passing through ATM backbones anyway. Sheesh. Longer term I believe that security solutions will involve end to end encryption - server to host, on the LAN as well as the WAN, in addition to what is already done on VPN's. I always liked the HIPAA provision about management responsibility and management fines and jail time for failure to comply. Wish that were so in a lot of other industries where I have worked. ;- Chuck William Gragido wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... The only difference is that those organizations (physicians as well), will held accountable for violation of HIPPA and face fines and potentially jail time :-( -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 27, 2002 12:30 PM To: [EMAIL PROTECTED] Subject: RE: Security Design - PIX or Whatever [7:36677] Lets not forget politcal concerns when trying do a reasonable level of security. I worked a healthcare provider and boy, you should have heard the Docs squawk about passwords and pin codes for access to the primary LAN/WAN... to the point that admin overruled the IS dept and special *permission* not to use the security procedures... happens every day.. MikeS ' Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=36686t=36677 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Security Design - PIX or Whatever [7:36677]
That is un friggingbelievable, I give my social to my bank and other parties I have a financial arrangement with, thats it. There must be a better way using keys, a challenge response or something like that. Bri On Wed, 27 Feb 2002, Chuck wrote: don't even get me started on this. I work for an organization that uses employee SSN numbers for validation purposes in a lot of instances. So when I call the Help Desk to complain about e-mail ( an ongoing problem ) I am asked to provide my SSN to the folks there. In these days of rampant and easy identity theft, how smart is it to allow access to a large database of valid SSN's to practically everyone who asks? HIPAA??? isn't that on hold for review? You know, I was reading through one of the drafts and I thought I saw something that floored me - the regulators were stating that multiplexed links such as frame relay and ATM were considered unsecure because different organizations were sharing circuits. The implication was that healthcare organizations would have to move to point to point technologies - most of which end up passing through ATM backbones anyway. Sheesh. Longer term I believe that security solutions will involve end to end encryption - server to host, on the LAN as well as the WAN, in addition to what is already done on VPN's. I always liked the HIPAA provision about management responsibility and management fines and jail time for failure to comply. Wish that were so in a lot of other industries where I have worked. ;- Chuck William Gragido wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... The only difference is that those organizations (physicians as well), will held accountable for violation of HIPPA and face fines and potentially jail time :-( -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 27, 2002 12:30 PM To: [EMAIL PROTECTED] Subject: RE: Security Design - PIX or Whatever [7:36677] Lets not forget politcal concerns when trying do a reasonable level of security. I worked a healthcare provider and boy, you should have heard the Docs squawk about passwords and pin codes for access to the primary LAN/WAN... to the point that admin overruled the IS dept and special *permission* not to use the security procedures... happens every day.. MikeS ' Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=36690t=36677 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Security Design - PIX or Whatever [7:36677]
Chuck, I work in a health organisation and we are considering implementing some security measures to meet HIPAA standard. Could you please give me the URL where you read about the regulators on Frame-relay and ATM. I had read sometime ago that no particular solution will fit all scenarios-each architecture will lend itself to the most appropriate solution that will secure patient information. Thanks, Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=36693t=36677 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Security Design - PIX or Whatever [7:36677]
The standards are constantly being revised. Reality is, however, that for those involved in any facit of the medical/healthcare industry there is no escaping it. Bad practices or negligence will only result in the additional issues (both financial and otherwise), for failure to comply. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Chuck Sent: Wednesday, February 27, 2002 1:20 PM To: [EMAIL PROTECTED] Subject: Re: Security Design - PIX or Whatever [7:36677] don't even get me started on this. I work for an organization that uses employee SSN numbers for validation purposes in a lot of instances. So when I call the Help Desk to complain about e-mail ( an ongoing problem ) I am asked to provide my SSN to the folks there. In these days of rampant and easy identity theft, how smart is it to allow access to a large database of valid SSN's to practically everyone who asks? HIPAA??? isn't that on hold for review? You know, I was reading through one of the drafts and I thought I saw something that floored me - the regulators were stating that multiplexed links such as frame relay and ATM were considered unsecure because different organizations were sharing circuits. The implication was that healthcare organizations would have to move to point to point technologies - most of which end up passing through ATM backbones anyway. Sheesh. Longer term I believe that security solutions will involve end to end encryption - server to host, on the LAN as well as the WAN, in addition to what is already done on VPN's. I always liked the HIPAA provision about management responsibility and management fines and jail time for failure to comply. Wish that were so in a lot of other industries where I have worked. ;- Chuck William Gragido wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... The only difference is that those organizations (physicians as well), will held accountable for violation of HIPPA and face fines and potentially jail time :-( -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 27, 2002 12:30 PM To: [EMAIL PROTECTED] Subject: RE: Security Design - PIX or Whatever [7:36677] Lets not forget politcal concerns when trying do a reasonable level of security. I worked a healthcare provider and boy, you should have heard the Docs squawk about passwords and pin codes for access to the primary LAN/WAN... to the point that admin overruled the IS dept and special *permission* not to use the security procedures... happens every day.. MikeS ' Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=36695t=36677 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Security Design - PIX or Whatever [7:36677]
Your employer already has your SSN. But yes, there are better ways of using challanges and secret keys, or what ever. -- RFC 1149 Compliant. Brian wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... That is un friggingbelievable, I give my social to my bank and other parties I have a financial arrangement with, thats it. There must be a better way using keys, a challenge response or something like that. Bri On Wed, 27 Feb 2002, Chuck wrote: don't even get me started on this. I work for an organization that uses employee SSN numbers for validation purposes in a lot of instances. So when I call the Help Desk to complain about e-mail ( an ongoing problem ) I am asked to provide my SSN to the folks there. In these days of rampant and easy identity theft, how smart is it to allow access to a large database of valid SSN's to practically everyone who asks? HIPAA??? isn't that on hold for review? You know, I was reading through one of the drafts and I thought I saw something that floored me - the regulators were stating that multiplexed links such as frame relay and ATM were considered unsecure because different organizations were sharing circuits. The implication was that healthcare organizations would have to move to point to point technologies - most of which end up passing through ATM backbones anyway. Sheesh. Longer term I believe that security solutions will involve end to end encryption - server to host, on the LAN as well as the WAN, in addition to what is already done on VPN's. I always liked the HIPAA provision about management responsibility and management fines and jail time for failure to comply. Wish that were so in a lot of other industries where I have worked. ;- Chuck William Gragido wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... The only difference is that those organizations (physicians as well), will held accountable for violation of HIPPA and face fines and potentially jail time :-( -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 27, 2002 12:30 PM To: [EMAIL PROTECTED] Subject: RE: Security Design - PIX or Whatever [7:36677] Lets not forget politcal concerns when trying do a reasonable level of security. I worked a healthcare provider and boy, you should have heard the Docs squawk about passwords and pin codes for access to the primary LAN/WAN... to the point that admin overruled the IS dept and special *permission* not to use the security procedures... happens every day.. MikeS ' Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=36701t=36677 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Security Design - PIX or Whatever [7:36677]
There is a reasonableness component built into HIPAA. There was some rumors about frame relay, amongst other things. Here is a link: http://aspe.os.dhhs.gov/admnsimp/nprm/sec09.htm Would frame relay be considered open? It sounds like encryption would be optional. -Original Message- From: Victor Alegun [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 27, 2002 2:49 PM To: [EMAIL PROTECTED] Subject: Re: Security Design - PIX or Whatever [7:36677] Chuck, I work in a health organisation and we are considering implementing some security measures to meet HIPAA standard. Could you please give me the URL where you read about the regulators on Frame-relay and ATM. I had read sometime ago that no particular solution will fit all scenarios-each architecture will lend itself to the most appropriate solution that will secure patient information. Thanks, Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=36712t=36677 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Security Design - PIX or Whatever [7:36677]
At 02:20 PM 2/27/02, Chuck wrote: don't even get me started on this. I work for an organization that uses employee SSN numbers for validation purposes in a lot of instances. So when I call the Help Desk to complain about e-mail ( an ongoing problem ) I am asked to provide my SSN to the folks there. That's awful! You should protest this. In these days of rampant and easy identity theft, how smart is it to allow access to a large database of valid SSN's to practically everyone who asks? HIPAA??? isn't that on hold for review? You know, I was reading through one of the drafts and I thought I saw something that floored me - the regulators were stating that multiplexed links such as frame relay and ATM were considered unsecure because different organizations were sharing circuits. The implication was that healthcare organizations would have to move to point to point technologies - most of which end up passing through ATM backbones anyway. Sheesh. Longer term I believe that security solutions will involve end to end encryption - server to host, on the LAN as well as the WAN, in addition to what is already done on VPN's. I always liked the HIPAA provision about management responsibility and management fines and jail time for failure to comply. Wish that were so in a lot of other industries where I have worked. ;- Chuck William Gragido wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... The only difference is that those organizations (physicians as well), will held accountable for violation of HIPPA and face fines and potentially jail time :-( -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 27, 2002 12:30 PM To: [EMAIL PROTECTED] Subject: RE: Security Design - PIX or Whatever [7:36677] Lets not forget politcal concerns when trying do a reasonable level of security. I worked a healthcare provider and boy, you should have heard the Docs squawk about passwords and pin codes for access to the primary LAN/WAN... to the point that admin overruled the IS dept and special *permission* not to use the security procedures... happens every day.. MikeS ' Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=36721t=36677 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Security Design - PIX or Whatever [7:36677]
Yeah- HIPPA gets better and better.. not only is the heathcare provider responsible for the security/auditing/tracking of patient data, they are responsible for the security if an off-sight Doc connects to the data. This drove one place I was at nuts because in a cost saving fit a few years ago, virtually all the Docs were made contractors.. now it's coming back to haunt them. Not only that but try to convince the management of the provider that they need a security officer.. someone who does nothing BUT security.. that went over like a lead brick.. meanwhile they just whacked a few more bodies before Xmas.. its going to be a mess. And it's just not the healthcare providers, one shop I support is a health insurance processing house.. HIPPA is a BIG deal to them.. They are pulling in separate DSL circuits for each contract because they can not get a straight answer if they can consolidate the data from one vendor on the same circuit along with other vendors. VPNs, firewalls, audit tracking for NT etc.. fun stuff.. MikeS Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=36740t=36677 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]