[THIN] Re: Off Topic: HIPAA - my brain hurts
- From: "Magnus" <magnus@xxxxxxxx>
- To: <thin@xxxxxxxxxxxxx>
- Date: Tue, 22 Apr 2003 16:33:22 -0400
I think that as soon as you mention "possible lawsuit due to lack of
security with in the application" They will force the developer to change
it
-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Ziots, Edward
Sent: Tuesday, April 22, 2003 4:27 PM
To: 'thin@xxxxxxxxxxxxx'; windows2000@xxxxxxxxxxxxx
Subject: [THIN] Re: Off Topic: HIPAA - my brain hurts
Greg,
Let me say as a fellow HIPPA bound IT worker, that you arent going to see
per-verbatim a black in white setting that says that passwords in a table
that everyone can read is a no-no, the rules as I have read them, and I am
still reading them, really set only a guidline or suggesstion of how you
should lock down your systems.
I think the three best things you can argue is the following.
1) Because he lets the users click on their user id form a list, all =
users have read access to this table. ( If this feature was removed, from
this application, then you would reduce the risk of information disclosure
to inappropriate parties.), thus would reduce your risk with this
application.
2) What is the data stored in the application? Is it patient care related
information, that if disclosed to inappropriate parties by whatever means,
could lead to a lawsuit by the patient or their lawyer against your company?
If so, assess the financial impact, and note that since this application has
no auditing, or tracking of whom accessed the application and when, your
company would be held liable for not ensuring the privacy of the information
held in this application, and not providing the application security to
ensure that adequate means where in place from a security prespective to
ensure this information disclosure did not happen.
3) Lastly, authentication to the application (Tracking of whom is accessing
the data), authorization of entities that access the application (knowning
by unique password, and ID, that only the use themselves know) , nor
security of the information is garunteed with the existing setup, which in
my eyes, fails both Privacy of the information stored in this database, and
any security mechanism applied to this application that did not solve the
problem, detailed in (1) above, would fail to adequately secure the
application, which is the mechanisum that ensures the privacy of data, which
is HIPPA in a nutshell.
I hope it helps,
Sincerely,
Ed
PS: NO offense, but your programmer is off his rocker, if he thinks that
leaving information about usersnames and passwords in a freely open table is
accepted practice.
-----Original Message-----
From: Greg Reese [mailto:GReese@xxxxxxxxxxxxxxxx]
Sent: Tuesday, April 22, 2003 3:31 PM
To: thin@xxxxxxxxxxxxx; windows2000@xxxxxxxxxxxxx
Subject: [THIN] Off Topic: HIPAA - my brain hurts
Sorry for the off topic post but after spending a few hours going = through
the Federal Register I am a little fried.
I am trying to find something in the HIPAA rules that spells out what =
makes an application "HIPAA Compliant" or not. Mainly, I am trying to =
settle a dispute with a programmer.
The programmer has a user table that has all the users and passwords in = it
for his application. He stores the password in this table as clear = text.
Because he lets the users click on their user id form a list, all = users
have read access to this table. That means anybody that wanted to = could
use Access or something and read the table and learn everyone's = password
for this app. This is not my AD security. Only application = specific
security. He also gives them no way to change their password. = They have
to call me and tell me what to change it to. I don't want to = know their
passwords and think this is a bad idea too.
I think keeping a password as clear text is poor programming technique, =
reckless/stupid, and does not meet the specifications for patient =
confidentiality required by HIPAA.
I need to show my bosses something that says as much in the HIPAA regs. =
They're backing me up (which is nice) but the programmer insists this is =
accepted practice and is ok to do. I have done some digging in the = HIPAA
standards but the parts that aren't confusing as hell put me to = sleep.
Has anyone been through any of this that could point me to the right =
place?
Thanks!
Greg
********************************************************
This Week's Sponsor - ThinPrint
Simply the best print solution for
Microsoft Terminal Services
and Citrix Metaframe.
http://www.thinprint.com/
**********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm
********************************************************
This Week's Sponsor - ThinPrint
Simply the best print solution for
Microsoft Terminal Services
and Citrix Metaframe.
http://www.thinprint.com/
**********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm
********************************************************
This Week's Sponsor - ThinPrint
Simply the best print solution for
Microsoft Terminal Services
and Citrix Metaframe.
http://www.thinprint.com/
**********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm
Other related posts:
