Back in July 2010 Apple responded to a rumor that FaceTime calls were unencrypted saying that the entire FaceTime conversation stream is encrypted.
This raised an interesting question from an IT professional in local County government who wondered about the type of encryption Apple uses in FaceTime calls.
The reader wanted to know if Apple gear like the iPad and iPhone were HIPPA compliant, and eligible for government funds.
Government grants in the healthcare industry require HIPAA compliance. The section on Access Control requires systems ensuring that only authorized users are granted access to Electronic Protected Health Information (EPHI). While somewhat vaguely worded, strong encryption is the only practical means of meeting the government “authorized users” requirement.
An Apple representative involved with the iPad emailed me this response:
iPad supports WPA2 Enterprise to provide authenticated access to your enterprise wireless network. WPA2 Enterprise uses 128-bit AES encryption, giving users the highest level of assurance that their data will remain protected when they send and receive communications over a Wi-Fi network connection.
In addition to your existing infrastructure each FaceTime session is encrypted end to end with unique session keys. Apple creates a unique ID for each FaceTime user, ensuring FaceTime calls are routed and connected properly.
Simply put, Apple gear is HIPPA compliant — if your wireless connections use WPA2 Enterprise security. Some interpret the HHS requirement to include WPA and WPA2 Personal as compliant, but HIPAA is a big complex hairy monster and, well, it depends on several variables.
One thing’s for sure: WEP is out, and you should avoid mentioning that swiss cheese security protocol around your friends at the U.S. Department of Health and Human Services — if you want a check from the Feds, that is.
