Digital signature is part of the security matrix.

Posted by Annie on January 19, 2005 at 00:59:14

In Reply to: My thoughts also.sm posted by Bunny on January 18, 2005 at 21:20:16:

The main concern is authentication and transportability. The document goes through several "hands" and at each point needs to be verified, thus the digital signature (a private key, PGP, , etc.)

http://www.hipaadvisory.com/action/legalqa/advisor/HIPAAdvisor2.htm

This is taken from regulation:

Various technologies may fulfill one or more of the requirements specified in the matrix. Authentication systems (passwords, biometrics, physical feature authentication, behavioral actions and token-based authentication) can be combined with cryptographic techniques to form an electronic signature. However, a complete electronic signature system may require more than one of the technologies mentioned above. If electronic signatures would be used, certain implementation features must be included, specifically:

Message integrity.
Nonrepudiation.
User authentication.

Currently there are no technically mature techniques that provide the security service of nonrepudiation in an open network environment, in the absence of trusted third parties, other than digital signature-based techniques. Therefore, if electronic signatures are employed, we would require that digital signature technology be used. A digital signature is formed by applying a mathematical function to the electronic document. This process yields a unique bit string, referred to as a message digest. The digest (only) is encrypted using the originator's private key and the resulting bit stream is appended to the electronic document. The recipient of the transmitted document decrypts the message digest with the originator’s public key, applies the same message hash function to the document, then compares the resulting digest with the transmitted version. If they are identical, then the recipient is assured that the message is unaltered and the identity of the signer is proven. Since only the signatory authority can hold the Private Key used to digitally sign the document, the critical feature of nonrepudiation is enforced. Other electronic signature implementation features that may be used follow:

Ability to add attributes.
Continuity of signature capability.
Countersignatures capability.
Independent verifiability.
Interoperability.
Multiple signatures.
Transportability.

http://aspe.hhs.gov/admnsimp/nprm/sec10.htm

Following: HIPAA proposed standards for security and electronic signatures (basically describes the same issues) but in chart form.

http://www.hipaadvisory.com/regs/securityandelectronicsign/addendum3.htm

Note: The mappings are not inclusive, and addendums need to be researched.

Follow Ups: