HCFA releases final Internet policy

The Health Care Financing Administration (HCFA) in Baltimore issued a bulletin on Nov. 24, 1998, that formalized its policy and guidelines for the security and appropriate use of the Internet to transmit HCFA Privacy Act-protected and other sensitive HCFA information.

The Privacy Act of 1974 mandates that federal information systems must protect the confidentiality of individually identifiable data. The Internet policy covers all systems or processes that use the Internet, or interface with the Internet, to transmit HCFA Privacy Act-protected and/or other sensitive HCFA information, including Virtual Private Network and tunneling implementations over the Internet. Non-Internet Medicare/Medicaid data communications processes (such as use of private or value-added networks) are not changed or affected by the Internet policy.

HCFA finds minimally acceptable a level of encryption protection equivalent to that provided by an algorithm such as Triple 56-bit DES (defined as 112-bit equivalent) for symmetric encryption, 1,024-bit algorithms for asymmetric systems, and 160 bits for the emerging elliptical curve systems, as of November 1998.

As stated in the policy, HCFA reserves the right to increase these minimum levels when deemed necessary by advances in techniques and capabilities associated with the processes used by attackers to break encryption, such as a brute-force exhaustive search.

(For more information about HCFA’s draft Internet policy, see Hospital Payment & Information Management, November 1998, p. 163.)

To view HCFA’s final policy, visit the Web site at http://www.hcfa.gov/security/isecplcy.html.