Quote:
Originally Posted by flipper35
I know encryption is an "addressable" issue and not required when it comes to HIPAA compliance, but can someone justify to me why we should continue this partnership?
Here is the situation. We have a partnership with someone who provides certain PHI and the product is written in Java. That Java application then phones home through their website via HTTP port 80. Disregarding the Java crap part for now, how can they provide documentation that addresses the security concerns of transmitting all this in the clear?
Aside from the info being encrypted inside the app before transmitting either direction I cant see how this is compliant.
Thanks.
|
As you said, either data is preencrypted in the app before transmission or they have to do some other non-HTTPS based encryption of the transmitted data - via VPN or SSH tunnel only for example.
Depending on your roll in all of this and skill level you should either sniff the traffic yourself (etheral/wireshark or high end enterprise network equipment) or work with a qualified geek from the IT side to do so and determine if it is being sent cleartext or pre-encrypted.
Even if pre-encrypted I can see potential issues (when doing software dev I tend to look at the worst possible edge case and solve it - doing so solves pretty much all the normal stuff) with how that is done. For example, unless each client/instance has their own unique keypair then I'd be asking "why". What encryption algorithm is being used? What version of the library/class include is being used? etc.