[THIN] Re: Off Topic: HIPAA - my brain hurts
- From: "Roger Riggins" <Roger@xxxxxxxxxxxx>
- To: <thin@xxxxxxxxxxxxx>
- Date: Tue, 22 Apr 2003 15:36:58 -0500
Also, chances are that some of the passwords in the database will match
passwords in AD. Now, your liability may be more widespread than just in
the one application...
Roger
-----Original Message-----
From: Ziots, Edward [mailto:EZiots@xxxxxxxxxxxx]=20
Sent: Tuesday, April 22, 2003 3:27 PM
To: 'thin@xxxxxxxxxxxxx'; windows2000@xxxxxxxxxxxxx
Subject: [THIN] Re: Off Topic: HIPAA - my brain hurts=20
Greg,=20
Let me say as a fellow HIPPA bound IT worker, that you arent going to
see
per-verbatim a black in white setting that says that passwords in a
table
that everyone can read is a no-no, the rules as I have read them, and I
am
still reading them, really set only a guidline or suggesstion of how you
should lock down your systems.=20
I think the three best things you can argue is the following.=20
1) Because he lets the users click on their user id form a list, all =
=3D
users have read access to this table. ( If this feature was removed,
from
this application, then you would reduce the risk of information
disclosure
to inappropriate parties.), thus would reduce your risk with this
application.=20
2) What is the data stored in the application? Is it patient care
related
information, that if disclosed to inappropriate parties by whatever
means,
could lead to a lawsuit by the patient or their lawyer against your
company?
If so, assess the financial impact, and note that since this application
has
no auditing, or tracking of whom accessed the application and when, your
company would be held liable for not ensuring the privacy of the
information
held in this application, and not providing the application security to
ensure that adequate means where in place from a security prespective to
ensure this information disclosure did not happen.=20
3) Lastly, authentication to the application (Tracking of whom is
accessing
the data), authorization of entities that access the application
(knowning
by unique password, and ID, that only the use themselves know) , nor
security of the information is garunteed with the existing setup, which
in
my eyes, fails both Privacy of the information stored in this database,
and
any security mechanism applied to this application that did not solve
the
problem, detailed in (1) above, would fail to adequately secure the
application, which is the mechanisum that ensures the privacy of data,
which
is HIPPA in a nutshell.=20
I hope it helps,=20
Sincerely,
Ed
PS: NO offense, but your programmer is off his rocker, if he thinks that
leaving information about usersnames and passwords in a freely open
table is
accepted practice.=20
-----Original Message-----
From: Greg Reese [mailto:GReese@xxxxxxxxxxxxxxxx]
Sent: Tuesday, April 22, 2003 3:31 PM
To: thin@xxxxxxxxxxxxx; windows2000@xxxxxxxxxxxxx
Subject: [THIN] Off Topic: HIPAA - my brain hurts=20
Sorry for the off topic post but after spending a few hours going =3D
through the Federal Register I am a little fried.
I am trying to find something in the HIPAA rules that spells out what =
=3D
makes an application "HIPAA Compliant" or not. Mainly, I am trying to =
=3D
settle a dispute with a programmer.
The programmer has a user table that has all the users and passwords in
=3D
it for his application. He stores the password in this table as clear =
=3D
text. Because he lets the users click on their user id form a list, all
=3D
users have read access to this table. That means anybody that wanted to
=3D
could use Access or something and read the table and learn everyone's =
=3D
password for this app. This is not my AD security. Only application =
=3D
specific security. He also gives them no way to change their password.
=3D
They have to call me and tell me what to change it to. I don't want to
=3D
know their passwords and think this is a bad idea too.
I think keeping a password as clear text is poor programming technique,
=3D
reckless/stupid, and does not meet the specifications for patient =3D
confidentiality required by HIPAA.
I need to show my bosses something that says as much in the HIPAA regs.
=3D
They're backing me up (which is nice) but the programmer insists this is
=3D
accepted practice and is ok to do. I have done some digging in the =3D
HIPAA standards but the parts that aren't confusing as hell put me to =
=3D
sleep.
Has anyone been through any of this that could point me to the right =3D
place?
Thanks!
Greg
********************************************************
This Week's Sponsor - ThinPrint
Simply the best print solution for
Microsoft Terminal Services=20
and Citrix Metaframe.
http://www.thinprint.com/
**********************************************************
For Archives, to Unsubscribe, Subscribe or=20
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm
********************************************************
This Week's Sponsor - ThinPrint
Simply the best print solution for
Microsoft Terminal Services=20
and Citrix Metaframe.
http://www.thinprint.com/
**********************************************************
For Archives, to Unsubscribe, Subscribe or=20
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm
********************************************************
This Week's Sponsor - ThinPrint
Simply the best print solution for
Microsoft Terminal Services
and Citrix Metaframe.
http://www.thinprint.com/
**********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm
Other related posts:
