My company is building a medical application. We would like to utilize Silverlight 2.0/3.0. Because of HIPAA laws, security is at the top of the list and can't make mistakes here.
What makes or doesn't make a WCF call secure in the context of using Silverlight?
Since Silverlight only works with the HTTP(S) bindings of WCF, you're only as secure as HTTPS allows you to be.
As far as I know, if the Silverlight XAP file is served from the same web site that the web service is in, then they can share the ASP session.
In this scenario, you would authenticate the user to the web site, as usual. When they get the XAP file, its communication back to the server can use sessions, just like all normal HTTP calls would be using (passing the cookie).
If they are in different web sites, then they cannot share the session, and you'll have to do something else in the web service to verify the caller.
Network security Access Restrictions in SL2
The above are links to decent resources on Silverlight and WCF security, but Mike_G summed it up accurately, you're limited to HTTPS security.