Just throw on DD-WRT. But know what you are doing!
I will ask this guy. Alert Boot Developer.
http://www.alertboot.com/blog/blogs/end ... reach.aspx
HIPAA/HITECH Data Breach Safe Harbor
It shouldn't be news to any HIPAA covered-entities that the HITECH Act amended HIPAA, or that there is a new data breach notification requirement in that amendment. The new rules went into effect over a year ago, so if you're hearing about this now...well, get moving and secure your data.
Also in the "not-news" category: there is a safe harbor component to the breach notification requirement. Namely, any cases where ePHI (electronic protected health information) is lost but encrypted don't apply to the notification requirement.
There is a caveat, however. Nowhere is it specified what type of encryption one should be using. Instead, readers of the guidelines will notice that they're referred to NIST publications regarding encryption.
On the functional equivalent of a safe harbor:
This guidance is intended to describe the technologies and methodologies that can be used to render PHI unusable, unreadable, or indecipherable to unauthorized individuals. While covered entities and business associates are not required to follow the guidance, the specified technologies and methodologies, if used, create the functional equivalent of a safe harbor, and thus, result in covered entities and business associates not being required to provide the notification otherwise required by section 13402 in the event of a breach. [19008 Federal Register / Vol. 74, No. 79 / Monday, April 27, 2009 / Rules and Regulations, my emphasis]
On encryption software and NIST:
(i) Valid encryption processes for data at rest are consistent with NIST Special Publication 800–111, Guide to Storage Encryption Technologies for End User Devices.
(ii) Valid encryption processes for data in motion are those which comply, as appropriate, with NIST Special Publications 800–52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800–77, Guide to IPsec VPNs; or 800–113, Guide to SSL VPNs, or others which are Federal Information Processing Standards (FIPS) 140–2 validated. [42742 Federal Register / Vol. 74, No. 162 / Monday, August 24, 2009 / Rules and Regulations]
NIST rules out any encryption that wasn't tested by them, so if you're using something that was contracted out to be built for you, but never validated by NIST, you're not getting safe harbor from the HITECH breach notification requirements. Likewise if you're using encryption software that is outdated, like those found in Windows Word 2003 or earlier, as mentioned by El Emam et al.
It's not just a matter of using encryption. You've got to use the right encryption: FIPS 140-2 validated encryption.
You've Got to Wonder...
Reading the above, you've got to wonder if there are HIPAA-covered entities out there that are essentially breaking the law because they don't know better.
JUST KIDDING
There needs to be a troll icon.
X-Rays are always easy to get back... A healthy database, is not.