ehr onc final certification - Department of Health Care Services
ehr onc final certification - Department of Health Care Services
ehr onc final certification - Department of Health Care Services
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
interim <strong>final</strong> rule. We have revised the general encryption standard to read as follows:<br />
“Any encryption algorithm identified by the National Institute <strong>of</strong> Standards and<br />
Technology (NIST) as an approved security function in Annex A <strong>of</strong> the Federal<br />
Information Processing Standards (FIPS) Publication 140-2.”<br />
The National Institute <strong>of</strong> Standards and Technology (NIST) published Federal<br />
Information Processing Standards (FIPS) Publication 140-2 to specify the security<br />
requirements for cryptographic modules. As part <strong>of</strong> FIPS 140-X conformance, NIST<br />
publishes “annexes” <strong>of</strong> different “approved” security protocols. For purposes <strong>of</strong><br />
encryption, NIST maintains “Annex A” which identifies “approved security functions.”<br />
Annex A identifies both symmetric and asymmetric key encryption algorithms that NIST<br />
has identified for use in accordance with FIPS 140-2. In response to commenters’<br />
c<strong>onc</strong>erns, we believe that leveraging NIST’s work in this area provides for a clearer<br />
requirement for compliance and provides Complete EHR and EHR Module developers<br />
with the ability to use one or more secure encryption algorithms for the purposes <strong>of</strong><br />
demonstrating compliance with this <strong>certification</strong> criterion. We believe this flexibility will<br />
benefit eligible pr<strong>of</strong>essionals and eligible hospitals because they may be able to leverage<br />
a broader suite <strong>of</strong> secure encryption algorithms. As noted in Special Publication 800-<br />
111, which is specified in the guidance included in the breach notification interim <strong>final</strong><br />
rule for the encryption <strong>of</strong> data at rest, “[w]henever possible, AES should be used for the<br />
encryption algorithm because <strong>of</strong> its strength and speed.”<br />
We point out that the adopted <strong>certification</strong> criterion identifies certain discretionary<br />
authority that the Secretary is retaining with respect to acceptable encryption algorithms.<br />
We have adopted the list <strong>of</strong> approved encryption algorithms that NIST has identified and<br />
Page 118 <strong>of</strong> 228