[THIN] Re: OT: Audit boundaries

  • From: Greg Reese <gareese@xxxxxxxxx>
  • To: thin@xxxxxxxxxxxxx
  • Date: Mon, 13 Sep 2010 09:15:19 -0500

HIPAA doesn't specify any specific requirements for settings.  it says
"secure and safeguard your stuff" without actually telling you how to do it.
 There is really no right or wrong answer when it comes to securing
healthcare networks.  Be wary of anyone selling you something as "HIPAA
Compliant" there is no checklist or accreditation to get that label.

If an outside company is coming in the see if you guys are doing an ok job
of that, I would expect them to look at everything on the same network as a
single entity regardless of actual domain or OU membership.  If the packets
are traveling on the same wires, subnets, vlans, whatever, then it's all
fair game.


On Sun, Sep 12, 2010 at 10:19 PM, Tom Sorenson <tsorenson99@xxxxxxxxx>wrote:

> Sorry for the OT post, but I'm hoping the great wisdom of this list can
> help me settle a domain design argument currently going on at my employer.
> I work for a university.  The university also has a clinical (hospital)
> component that is for the most part separate from the university with the
> exception of the med school.
> I've argued for a 2 domain design that separates the clinical areas into
> their own domain.  My logic being that our anticipated HIPAA audit would
> only encompass the domain containing the clinical areas.
> There is a vocal camp that believes everything should reside in a single
> domain and that the clinical areas should be in there own OU.  They reason
> that any HIPAA audit would be limited to resources within that OU.
> I'm of the belief that if everything is in a single domain that the entire
> domain becomes subject to a HIPAA audit.
> Can anyone advise what their experience has been in a similar audit
> situation, whether an audit would be limited to an OU or would the entire
> domain and its resources be subject to audit?
> All opinions are welcome.
> Thanks!

Other related posts: