Is encryption required over dial-up lines? Is the Background part of the Security and Privacy regulations true requirements?
Encryption is required over open networks and dial-up lines are considered open networks. The Technical Security Mechanisms section of the Security NPRM is very clear in requiring encryption over “open networks”. Also: Security NPRM – Federal Register Page 43255 – 1st half of the first column. Excerpts: “When using open networks some form of encryption should be employed…” AND “These controls would be important because of the potential for compromise of information of open systems such as the Internet or dial-in lines”. This lumps dial-in lines into the open network category that requires encryption. Although there were many comments objecting to the necessity of encrypting dial-in lines, my feeling is that the odds lean toward keeping the requirements for encrypting dial-in lines in the final rule.I would also expect that final rule would better clarify the position and HHS would address the comments regarding dial-in lines in the comment-response section of the preamble. Requiring
