HIPAA Issue/Question

[flipper35]

I know encryption is an "addressable" issue and not required when it comes to HIPAA compliance, but can someone justify to me why we should continue this partnership?

Here is the situation. We have a partnership with someone who provides certain PHI and the product is written in Java. That Java application then phones home through their website via HTTP port 80. Disregarding the Java crap part for now, how can they provide documentation that addresses the security concerns of transmitting all this in the clear?

Aside from the info being encrypted inside the app before transmitting either direction I cant see how this is compliant.

Thanks.

[id10t]

Quote:

Originally Posted by flipper35

I know encryption is an "addressable" issue and not required when it comes to HIPAA compliance, but can someone justify to me why we should continue this partnership?

Here is the situation. We have a partnership with someone who provides certain PHI and the product is written in Java. That Java application then phones home through their website via HTTP port 80. Disregarding the Java crap part for now, how can they provide documentation that addresses the security concerns of transmitting all this in the clear?

Aside from the info being encrypted inside the app before transmitting either direction I cant see how this is compliant.

Thanks.

As you said, either data is preencrypted in the app before transmission or they have to do some other non-HTTPS based encryption of the transmitted data - via VPN or SSH tunnel only for example.

Depending on your roll in all of this and skill level you should either sniff the traffic yourself (etheral/wireshark or high end enterprise network equipment) or work with a qualified geek from the IT side to do so and determine if it is being sent cleartext or pre-encrypted.

Even if pre-encrypted I can see potential issues (when doing software dev I tend to look at the worst possible edge case and solve it - doing so solves pretty much all the normal stuff) with how that is done. For example, unless each client/instance has their own unique keypair then I'd be asking "why". What encryption algorithm is being used? What version of the library/class include is being used? etc.

[Paul_Heery]

If at any point the data in motion is unencrypted and clear, then it is not compliant. But, are you sure that is the case? I've seen workarounds where things like http traffic are directed through a tunnel.

[sammyg2]

Yeah. What they said.

[widebody911]

how can they provide documentation that addresses the security concerns of transmitting all this in the clear?

I can't think of anything that would address the security concerns of transmitting in the clear, other than "don't do that". Full Stop.

[KFC911]

Quote:

Originally Posted by id10t

As you said, either data is preencrypted in the app before transmission or they have to do some other non-HTTPS based encryption of the transmitted data - via VPN or SSH tunnel only for example.

...

Been out of the game so long I shouldn't answer.....but this ^^^^ .

[flipper35]

I am on the IT side and could not see any way, shape or form that this could be compliant. That said I ain't always the sharpest crayon in the box and wanted a couple other opinions.

At this point I have said that we will not use the app until further clarification is given.

I can't fathom why someone would not spend a few hundred and go at least TSL.

I have since found out that no part of the website uses SSL or TSL so when the nurse or caregiver logs on, that info is sent clear text. Holy crap!

On a side note, that place has gone through some changes recently and this is the result.

Thank you all for your help.

[Tobra]

This is not Kosher, WRT to HIPAA

[John Rogers]

The questions I would ask are: the application is written in JAVA, so what, but how is it stored BEFORE it is transmitted to your system. Is it in an Oracle database with encrypted fields and tables or in some sort of in-house created data structure like a linked list?

Next is what happens to the data once it is encrypted and sent to you? Do they save it away somewhere on the server or delete it or ????


Next is what is on your end, I.E. an Oracle database with encrypted fields and tables and how is it imported into your system. Once you import it what do you do with the files, save them, delete them, ??????


Last of all is there a particular reason they don't use HTTPS or VPN or other somewhat secure transmission method and why is no one watching their transmission path I.E. the stops and jumps to see who is watching what they send or you gather?


Some references:

https://www.healthcareitnews.com/blog/9-steps-secure-phi-file-transfer-under-new-hipaa-rule

http://www.onlinetech.com/resources/references/what-is-hipaa-compliance

And Finally:
https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity/index.html


I would venture to say your company is just waiting to get a huge shaft from the government if someone raises hell!

[flipper35]

What is on their end I am worried less about but I would bet it is in SQL in the clear. Just a guess on my part but based on what I see that is my assumption.

The info is certainly stored on their end as we can look the info up at any time for any time frame.

Nothing is stored on our end, the results of the query are populated in fields on the application real time, just like a web site.

I can think of no reason they couldn't use a certificate on their end. I can't think of any case where this can be compliant which is why I am asking here, in case I missed or misinterpreted something.

I looked through those resources and came here to verify those. Thanks.

[Paul_Heery]

Before you get too far with your assumptions, I believe that you should validate the the transmission of data is in fact "in the clear".

If it were me, on the system that I am using to lookup data on their system I would install wireshark and perform a packet capture when retrieving some records. If you parse that capture for any of the information that appears on your screen and get results, you then know that there is a problem. If not, go get a drink and relax.

[rockfan4]

Quote:

Originally Posted by flipper35

I can think of no reason they couldn't use a certificate on their end.

Laziness. Pure laziness. I was asked earlier this year to test our time and attendance system before it went live. Straight port 80. I asked "why isn't this encrypted, you know you have to log into this, right?" They weren't sure how to configure it, didn't want to do it until I narced on them to our Security team. It went live with SSL, and not even a self-signed cert.

Edit: This isn't a 3 letter app from Sauk City WI, is it?

[id10t]

Quote:

Originally Posted by flipper35

What is on their end I am worried less about but I would bet it is in SQL in the clear. Just a guess on my part but based on what I see that is my assumption.

The info is certainly stored on their end as we can look the info up at any time for any time frame.

Nothing is stored on our end, the results of the query are populated in fields on the application real time, just like a web site.

I can think of no reason they couldn't use a certificate on their end. I can't think of any case where this can be compliant which is why I am asking here, in case I missed or misinterpreted something.

I looked through those resources and came here to verify those. Thanks.

No reason at all. Takes me about 30 minutes to get 15 students through obtaining a free certificate from LetsEncrypt and changing an Apache server from plain HTTP to HTTPS including complete redirects from non-secure to secure. Can't imagine it would take much longer for nginx, tomcat, IIS or any other web server, although the IIS folks may need to reboot a few times.

That said, there is that slight possibility of them encrypting client side and sending - sniff the traffic and find out.

[HardDrive]

Not using SSL. Absurd.

[john70t]

https://www.cbsnews.com/news/healthcare-gov-server-hacked/
"A government security team last month found malware on a Health and Human Services (HHS) server that supports the Obamacare website HealthCare.gov, HHS confirmed to CBS News on Thursday."

[flipper35]

So, they finally responded back and said they do use a certificate and it gets installed on our end. Um, no. It does not install a certificate and pops right up and asks us to check the box to accept all risk. He also said because it is Java it is secure since it isn't a web site.

This is the same company that was out of compliance a couple years ago forcing people to use an EoL version (6.x I think) of Java so I don't have a lot of confidence accepting that just because he says so it is secure.

It does appear that after the initial communication to check for updates it does go to a different port, up in the 28000 range. Not that it is any more secure for anyone monitoring traffic.