Forum

Devin,

Pg. 282 of the CWSP study guide alludes to the fact that HIPAA requires data encryption through 3DES or AES technology.

Is this difinitive or could it be overstated? HIPAA by design has never stated a specific technology to use.

In my research I have never seen it stated that WEP is specifically non HIPAA compliant. If this is true, can you point me to a reference? Thanks!

Hi Casey,

I'll change "must be" to "should be" because to my knowledge HIPAA doesn't say what kind of technology you must use.

Devinator

You are both right. HIPPA does NOT specify any encryption nor authentication technologies.

Neither does Sarbones-Oxley. FIPS is the only regulations that I am aware of that actually calls out for specific technologies.

WiFi's use in the US Government would be covered under FIPS 140-1 and FIPS 140-2 specifically. The DOD also has a directive 8100.2 that covers wireless specifically for the military.

Devin... I have met people that will make the argument that static WEP is HIPPA compliant. The sad thing is that they are probably right!