# Fips 140-2, hippa



## Excabus (Nov 3, 2010)

Anyone have any experience working to get computer networks into compliance with these two... standards? I have some PDFs for 140-2 and haven't bothered to look into HIPPA yet. It all just seems to be vague, heavily over worded general security mumbo jumbo.

"Your computers should be super secure and awesome."

Cept imagine that being spoken by the supreme court and put down on paper  Any free guides and the sort that just outline what they expect with some of the verbage in there? IE, "Patient Information Data traveling wirelessly must be secured with WPA2-PEAP EAP LEAP MSCHAPV1,000,000 AES."

Thanks!


----------



## Wand3r3r (Sep 17, 2010)

I deal with Hipaa. What business are you in? You understand encryption is only required under certain circumstances?


----------



## Excabus (Nov 3, 2010)

Law Enforcement and Public Safety (fire departments specifically.)


----------



## Wand3r3r (Sep 17, 2010)

Well except for EMS you are not under Hipaa. Hipaa deals with protecting patient information.

I was never awake when I was in a ambulance but I don't believe a EMT has access to medical information of the patient at the time of transport. In other words unless they are recieving information concerning SS#, medical record numbers, full name, address, other identifiers, insurance numbers, etc hipaa doesn't apply. Normally EMTs are under a confidenciality clause.

You also need to understand there are two layers; required and addressable.
Required is mandated. Like if transporting the above information over wireless yes you must use the highest level of encryption possible... to protect the data.

Others like running ipsec over your wan links between sites is not required but "addressable" depending on your situation.

if you web search on ems hipaa powerpoint there is a powerpoint slide show on the subject you may find interesting.


----------



## Excabus (Nov 3, 2010)

Our FD's are also running ambulances and providing EMT services. I can think of only a few scenarios were patient information would go wireless but we should have the strongest encryption for wireless (that I know of) already in place. That's just good practice 

I will definitely take a look. I was referred to another white paper by one of my instructors at school regarding the law enforcement take on FIPS. So I will see if it's of any help as well.

I will definitely take a gander around the webs for that power point... when I get to work. I gotta run and grab my cup o joe and get cranking away at the computers for a bit. Thanks much!


----------



## Wand3r3r (Sep 17, 2010)

encrypting wireless is manadatory. Everything but wpa2 has been hacked that I last heard. Usually police communication is already encrypted using proprietary setups/software.

Be glad you don't work for a hospital and having to deal with Hipaa


----------



## Excabus (Nov 3, 2010)

haha i'm sure it's a joy. As for the police communication it varies. It really gets cloudy with the mobile data connections. The VPN's are obviously encrypted, AES 256 IIRC, i'm assuming the state data radio is encrypted, the wifi is obviously WPA2-Ent-AES.

However I heard that with FIPS you even have to encrypt traffic regarding criminal history across even local segments to protect from internal threats... gah. It's like I keep hearing these tidbits of things various federal and state agencies are requiring for security measures and I just want to put it all to rest and have some good documentation myself 

Reading time!


----------



## Wand3r3r (Sep 17, 2010)

I have found that those writing these requirements appear to not really understand technology or how to realistically apply it. Good luck on your search.


----------



## Excabus (Nov 3, 2010)

Hey I haven't found any documents yet. (TBH haven't looked yet.) However I have the good fortune of being to pull on some great resources for advice and criticism. (Constructive mind you)

It seems so far during our implementation of new equipment and infrastructure we haven't butchered things to bad. Most of the concern lies with the EMTs and the FDs. Alot of their stuff that's in place is out of compliance and needs to be worked on. However funding resources to do so is kind of sketchy... (IE convincing someone to spend a dime on crap that sits in the server closet  )

So things are going fairly decent  Not to extremely concerned with FIPS though as we are doing a pretty good job of keeping things strung up nice and tight.


----------

