I'm looking for input regarding compliance requirements for data encryption over carrier WAN circuits (MPLS, L2 VPN, etc.).
One particular customer is demanding encryption for their MPLS connectivity (due to HIPAA compliance reqs), but they also have dedicated P2P optical circuits between a couple locations, as well some data center interconnect (DCI) between a hosting provider for data replication. While MPLS is multi-tenant by nature, their P2P optical circuit is not (at least their wave/lambda isn't) - same for the DCI. HIPAA states a requirement for “encryption for all data in transit.” I’ve seen a lot of fluidity in satisfying compliance reqs in the past (especially with PCI), where some partial effort in a particular req will be sufficient to check the box. That said, there’s no wiggle room on what’s in quotes here, so I’m looking for any input regarding whether these reqs might also apply to links that are not “multi-tenant” by nature, such as the dedicated optical circuit.
This largely boils down to equipment (router/firewall sizing), but if there were some relaxed requirements for non-MPLS WAN circuits to still satisfy the HIPAA checkbox, that's what we're looking for.