FaceTime calls are encrypted, HIPAA compliant

The fly in the ointment for government is that the current implementation of AES in the iPad may be compliant but it is not certified compliant to government encryption standards. In other words, just because the vendor states that the encryption meets the government standard AES (Advanced Encryption Standard) does not mean that it actually does. Ultimately for the federal government to use the encryption must be certified by the National Institute of Standards and Technology (NIST) as being Federal Information Processing Standards (FIPS) 140-2 compliant. This means every Army, Navy, Air Force, or Veterans Affairs hospital will have a hard time bringing iPads into the enterprise without that NIST certification regardless of the HIPAA compliance.

This is yet another perpetuation of an incorrect use of 'HIPAA Compliance'. A communication tool like this (or backup services is another area where it is often misused) cannot in and of themselves declare they are "compliant". HIPAA compliance standards go well beyond simple security technologies or features. There are a wide array of procedures and policies that define "HIPAA Compliance" and it's irresponsible to make these claims about a product or service. We need another term to describe that a product like this CAN be HIPAA compliant when used in conjunction with the proper policies and procedures.

What this does is make FaceTime HIPAA complaint?

If FaceTime is encrypted end to end by Apple magic, why does WPA2 matter? What makes this issue difficult is the ability to know that both ends of the Facetime call are using WPA2. Based on this information I am not comfortable saying Facetime is HIPAA compliant, I will say Facetime can be made HIPAA compliant.

Looking at the original article, there is two statements there:

1. An iPad, in general, is HIPA compliant if you use WPA2 Enterprise.

2. Facetime is encrypted end to end.

Statements are only related in that they both involve encryption.

It doesn't say that Facetime is HIPAA compliant (which it should be, based on this). It means - I think - that doc's etc can get federal funding for an iPad. And Facetime is encrypted, regardless of network.

As WiteWulf says -- the article conflates the session keys that Apple uses to encrypt conversations end-to-end (using whatever scheme they employ) with the link-layer encryption and authentication of WiFi connections using WPA2 Enterprise.

I suspect that the "requirement" of WPA2 Enterprise in order to be HIPAA compliant relates to WPA2 Enterprise being able to authenticate on a user-by-user basis using 802.1x. But none of that has anything to do with whether Facetime sessions are strongly, weakly, or not at all encrypted end-to-end.

The session is only WPA2 Enterprise "encrypted" if the WiFi network you're on is using WPA2 Enterprise. Even then, only the packets passing between your iDevice and the access point are encrypted. This isn't end-to-end at all, everything past the access point depends on the (apparently undisclosed) encryption Apple actually applies to the FaceTime session itself.