[windows2000] Re: Off Topic: HIPAA - my brain hurts
- From: "Chris Berry" <compjma@xxxxxxxxxxx>
- To: windows2000@xxxxxxxxxxxxx
- Date: Tue, 22 Apr 2003 19:40:41 -0700
>From: windows2000-bounce@xxxxxxxxxxxxx
>Subject: [windows2000] Off Topic: HIPAA - my brain hurts
>Sorry for the off topic post but after spending a few hours going
>through the Federal Register I am a little fried.
It's on topic enough for me, alot of us are dealing with this.
>I am trying to find something in the HIPAA rules that spells out what =
>makes an application "HIPAA Compliant" or not. Mainly, I am trying to
>settle a dispute with a programmer.
Haven't seen anything spelling that out.
>The programmer has a user table that has all the users and passwords
>in it for his application. He stores the password in this table as
>clear text. Because he lets the users click on their user id form a
>list, all users have read access to this table. That means anybody
>that wanted to could use Access or something and read the table and
>learn everyone's password for this app. This is not my AD security.
>Only application specific security.
Who cares about HIPPA, this is plain stupid all on it's own. Passwords MUST
be encrypted everywhere, period, end of story, no discussion allowed.
>He also gives them no way to change their password. They have to call
>me and tell me what to change it to. I don't want to know their
>passwords and think this is a bad idea too.
This is lazy, and not particularly good practice, though not much of a
security issue because you could probably get them anyways if you really
wanted to. I'd say convince him to set up a webpage to do it for them.
>I think keeping a password as clear text is poor programming
>technique, reckless/stupid, and does not meet the specifications for
>patient confidentiality required by HIPAA.
>I need to show my bosses something that says as much in the HIPAA
>regs. They're backing me up (which is nice) but the programmer
>insists this is accepted practice and is ok to do. I have done some
>digging in the HIPAA standards but the parts that aren't confusing as
>hell put me to sleep.
How about just explaining how DUMB this is and pointing to a number of
different articles on recent password theft cases. I don't think HIPPA is
even an issue here. However if you're determined to drag HIPPA into it,
just point out that violations of the Privacy rule (Effective as of the 14th
of this month) carry serious monitary penalties and that you require a
waiver in writing from all involved that you won't be responsible for the
security if he's allowed to do it this way.
Chris Berry
compjma@xxxxxxxxxxx
Systems Administrator
JM Associates
"Without change, something sleeps inside us, and seldom awakens. The
sleeper must awaken." -- Duke Leto Atreides
_________________________________________________________________
STOP MORE SPAM with the new MSN 8 and get 2 months FREE*
http://join.msn.com/?page=features/junkmail
==================================
To Unsubscribe, set digest or vacation
mode or view archives use the below link.
http://thethin.net/win2000list.cfm
Other related posts:
