[djfobbz]

This message object seems to be missing the HIPAA^ENCRYPTED field (pun intended)...I am assuming the encryption is implemented above this layer? Is there a standard for HL7v2 encryption?

[pskinner]

HL7v2 is just the schema - the mechanism for sending these messages is normally something called MLLP which is just a simple framing protocol and has no built in security. It is possible to send/receive HL7v2 over other protocols, MLLP is the most common.

Its normal to secure the endpoints via network level security - ipsec etc. HL7v3 transformed into FHIR which is done over HTTPS instead.

[kckljssyckyc]

or, hear me out, you also blast it unencrypted to the flex pagers your employees don't even use anymore

[robertlagrant]

It's normal to not encrypt it, in my experience.

[nradov]

It's really not normal to not encrypt HL7 V2 messages. Every interface that I've seen uses a VPN.

[robertlagrant]

I'm in the UK in the NHS. Perhaps that's the difference. They just do network lockdowns inside the hospital.

[kckljssyckyc]

oh neat. i was aware of hl7, but didn't realize i'd seen it in the wild til today.

you can often find these messages flying unencrypted over flex pager channels in the us

[cmiles74]

Typically these messages are not encrypted. This is a late 80's spec based on a 70's era EDI spec.

IMHO, when these messages are transmitted outside the hospital typically a VPN used. There is a spec for posting these messages to an web service over HTTPS but I haven't seen it in use.

[ThaDood]

Usually encrypted via a TLS connection right into an HL7 channel/listener. Or the entire connection is encrypted via a VPN connection between healthcare systems.

[jbrogers63]

If there's encryption, it's generally further up the stack (eg. wrapping in a TLS connection or IPSec tunnel).