IS3230-ACCESS SECURITY
PKI and Encryption at Work
Unit 9 Assignment
8/19/2014
Understanding the issues around regulatory compliance can be a difficult and frustrating endeavor for developers. Most developers do not have a legal background, and regulators generally do not have a background in software development. The result is a failure to communicate: The language and requirements described in legislation are not easy to pin to explicit software requirements. The problem is compounded by the growing diversity of regulations on a variety of levels — state, federal, and international — that now make up a patchwork of compliance requirements with sometimes overlapping applications. This document attempts to bridge this gap and make sense of regulatory compliance from a developer's point of view. We've spent the time reading and analyzing legislation so that you don't have to. While this document may not contain every detail you need, it should provide a good starting point to help you focus on the right areas to be successful in your compliance objectives.
How can PKI be used for achieving regulatory compliance?
Hospitals and health systems, for instance, looking to employ cost-effective, user friendly methods to transfer data through an intranet, extranet, and especially the Internet should give serious consideration to PKI. PKI’s largest roles in HIPAA compliance relate to electronic signatures and message integrity. HIPAA regulations call for signatures to be digital and to ensure the following:
Integrity: “Ensuring, typically with a message authentication code, that a message received matches the message sent.”
Authentication: “The corroboration that an entity is the one claimed.”
Non-repudiation: “Strong and substantial evidence of the identity of the signer of a message and of message integrity, sufficient to prevent a party from successfully denying the origin, submission or delivery of the message and the integrity of its contents.”...