Also, chances are that some of the passwords in the database will match passwords in AD. Now, your liability may be more widespread than just in the one application... Roger -----Original Message----- From: Ziots, Edward [mailto:EZiots@xxxxxxxxxxxx]=20 Sent: Tuesday, April 22, 2003 3:27 PM To: 'thin@xxxxxxxxxxxxx'; windows2000@xxxxxxxxxxxxx Subject: [THIN] Re: Off Topic: HIPAA - my brain hurts=20 Greg,=20 Let me say as a fellow HIPPA bound IT worker, that you arent going to see per-verbatim a black in white setting that says that passwords in a table that everyone can read is a no-no, the rules as I have read them, and I am still reading them, really set only a guidline or suggesstion of how you should lock down your systems.=20 I think the three best things you can argue is the following.=20 1) Because he lets the users click on their user id form a list, all = =3D users have read access to this table. ( If this feature was removed, from this application, then you would reduce the risk of information disclosure to inappropriate parties.), thus would reduce your risk with this application.=20 2) What is the data stored in the application? Is it patient care related information, that if disclosed to inappropriate parties by whatever means, could lead to a lawsuit by the patient or their lawyer against your company? If so, assess the financial impact, and note that since this application has no auditing, or tracking of whom accessed the application and when, your company would be held liable for not ensuring the privacy of the information held in this application, and not providing the application security to ensure that adequate means where in place from a security prespective to ensure this information disclosure did not happen.=20 3) Lastly, authentication to the application (Tracking of whom is accessing the data), authorization of entities that access the application (knowning by unique password, and ID, that only the use themselves know) , nor security of the information is garunteed with the existing setup, which in my eyes, fails both Privacy of the information stored in this database, and any security mechanism applied to this application that did not solve the problem, detailed in (1) above, would fail to adequately secure the application, which is the mechanisum that ensures the privacy of data, which is HIPPA in a nutshell.=20 I hope it helps,=20 Sincerely, Ed PS: NO offense, but your programmer is off his rocker, if he thinks that leaving information about usersnames and passwords in a freely open table is accepted practice.=20 -----Original Message----- From: Greg Reese [mailto:GReese@xxxxxxxxxxxxxxxx] Sent: Tuesday, April 22, 2003 3:31 PM To: thin@xxxxxxxxxxxxx; windows2000@xxxxxxxxxxxxx Subject: [THIN] Off Topic: HIPAA - my brain hurts=20 Sorry for the off topic post but after spending a few hours going =3D through the Federal Register I am a little fried. I am trying to find something in the HIPAA rules that spells out what = =3D makes an application "HIPAA Compliant" or not. Mainly, I am trying to = =3D settle a dispute with a programmer. The programmer has a user table that has all the users and passwords in =3D it for his application. He stores the password in this table as clear = =3D text. Because he lets the users click on their user id form a list, all =3D users have read access to this table. That means anybody that wanted to =3D could use Access or something and read the table and learn everyone's = =3D password for this app. This is not my AD security. Only application = =3D specific security. He also gives them no way to change their password. =3D They have to call me and tell me what to change it to. I don't want to =3D know their passwords and think this is a bad idea too. I think keeping a password as clear text is poor programming technique, =3D reckless/stupid, and does not meet the specifications for patient =3D confidentiality required by HIPAA. I need to show my bosses something that says as much in the HIPAA regs. =3D They're backing me up (which is nice) but the programmer insists this is =3D accepted practice and is ok to do. I have done some digging in the =3D HIPAA standards but the parts that aren't confusing as hell put me to = =3D sleep. Has anyone been through any of this that could point me to the right =3D place? Thanks! Greg ******************************************************** This Week's Sponsor - ThinPrint Simply the best print solution for Microsoft Terminal Services=20 and Citrix Metaframe. http://www.thinprint.com/ ********************************************************** For Archives, to Unsubscribe, Subscribe or=20 set Digest or Vacation mode use the below link: http://thethin.net/citrixlist.cfm ******************************************************** This Week's Sponsor - ThinPrint Simply the best print solution for Microsoft Terminal Services=20 and Citrix Metaframe. http://www.thinprint.com/ ********************************************************** For Archives, to Unsubscribe, Subscribe or=20 set Digest or Vacation mode use the below link: http://thethin.net/citrixlist.cfm ******************************************************** This Week's Sponsor - ThinPrint Simply the best print solution for Microsoft Terminal Services and Citrix Metaframe. http://www.thinprint.com/ ********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thethin.net/citrixlist.cfm