| # |
|
|
|
|
| 1 |
|
Precisely under what conditions are providers subject to regulation? | Sec 1172(a) clearly limits applicability of the standards to providers who transmit health information in connection with the listed health care transactions. The increased scope of the security standard to all electronically maintained or communicated health information obscures this fact and leads to some confusion. | Provide language that specifically excludes from regulation provider who maintain health data electronically but do not engage in electronic transmission of the listed Healthcare Transactions |
| 2 |
|
Regulation requires development of security mechanisms to protect against "misuse" prior to the development of standards of appropriate "use" and "misuse" | Covered persons cannot complete development of security solutions until the Sec 264 Privacy Standards are created. Any delay in creating the Privacy standard negatively impacts ability of covered person to comply with the security regulations. | Stipulation to mitigate the negative impact of any delay in providing the Sec 264 Privacy Standard. |
| 3 |
|
Exclusion from regulation fax and IVR. | Fax and IVR provide electronic access to sensitive patient information. The limited "bandwidth" of these channels to health information logically does not, in itself, protect health information. If anything the limited nature of the "input device" (i.e. the telephone key pad) makes use of PINs and other kinds of security devices, by themselves, suspect. | Eliminate IVR and FAX exclusion. |
| 4 |
|
Why is a "chain of trust" agreement needed for clearinghouses. | As clearinghouses are otherwise covered by the regulation, a "chain of trust" agreement does not add to overall security, certification of the clearinghouse's compliance with the regulation should be sufficient. | Eliminate requirement for "chain of trust" agreement for intermediaries otherwise subject to regulation. |
| 5 |
|
For purposes of "risk analysis" is all health information considered equally "sensitive"? | Risk analysis presumes a cost can be assigned
to any potential lose. In the NPRM and elsewhere (e.g."principles"
included in the HHS Sec 264 Recommendations) all information should be
treated as equally sensitive. If this is true, then "cost"
will only be a measure of likelihood of exposure.
This may lead to irrational results. Systems with large amounts of routinely collected data would be afforded more protection than systems that maintain significantly smaller amounts of extra-ordinarily collected data. Common reasoning suggests that more sensitivity about the extra-ordinary than the routine. |
Clarification of the impact of "equal sensitivity" assumption on "risk analysis" |
| 6 |
|
At what level is data to be "authenticated"? | The NPRM defines data as merely a sequence of symbols
to which meaning is assigned. The regulation proposes authentication
mechanisms which have the effect of corroborating the meaning of characters,
data elements, records, and messages. Does all data have to
be authenticated at each of these levels? What principle should guide
selection of some authentication and not other?
Data authentication relies on large amounts of meta-data containing the corroborating information. Does the metadata itself need be authenticated? What security mechanisms for the meta-data are required? |
Clarification |
| 7 |
|
Mandatory "automatic log-off" requirement not applicable to all technology. | The NPRM expresses a desire to be technology "neutral" and generally applicable to any information solution that organizations may adopt. "Automatic log-off" is only meaningful with interactions that persists in "sessions". Stateless protocols (such as HTTP 1.) do not generally involve sessions; therefore "auto log-off" provides no additional security. | Change language so that "automatic log-off" is mandatory only for systems with persistent sessions. |
| 8 |
|
List of acceptable authentication mechanisms does not include public key challenge response used in conjunction with digital certificates. | Challenge response systems based on public key cryptography and digital certificates ARE the basis of scalable authentication and will be found in all next generation network products (e.g. Netware 5, Kerberos 6 and NT 5). This is also how authentication occurs on the Web with SSL. | Add "cryptographic challenge-response using digital certificates" or similar |
| 9 |
|
Is "unique user identification" required? | For technical security services, "unique user identification: is required, whereas when information is accessed over a network, the requirement is only stated as "entity authentication". It is irrational to require "unique user identification" in a local environment subject to any number of physical controls and the allow for weaker authentication when using a network which will always be less under the physical control of the system owner. | Explicitly state that the "entity authentication" requirement includes "unique user identification" as in the technical security services. |
| 10 |
|
What standards will be adopted for digital certificates. | The value of Digital Signatures is limited by, among other things, the trustworthiness of the signer's digital certificates. However, the standard does not address how trust in certificate authorities is to be established or what scrutiny should be applied to the operations of CAs. The standard does not address the valid uses of internally generated or "self signed" digital certificates. | Clarify the role of certificates and certificate authorities in establishing the standard. |