Secure Coding mailing list archives
Re: Question about HIPAA Compliance in application development
From: Rohit Sethi <rklists () gmail com>
Date: Tue, 26 Apr 2011 11:13:20 -0400
Thanks Kevin and those who answered me off-list. It sounds like people generally deal with this through techniques outside of the application logic itself such as checksums and/or digital signatures on files / database values that contain protected health information. My initial thought was that databases would offer some kind of integrity check feature and that seems to be the feeling from people on the list as well. Has anyone actually implemented this kind of control *within* custom application logic? For example, verifying the integrity of stored protected health data by (for example) checking that a digital signature is valid before displaying it back to the user? On Tue, Apr 26, 2011 at 8:57 AM, Wall, Kevin <Kevin.Wall () qwest com> wrote:
Rohit, You wrote:Has anyone had to deal with the following HIPAA compliance requirements within a custom application before: §164.312(c)(2) Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner. §164.312(e)(2)(i) Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of. How have you actually implemented these controls in applications? Have you used a third party tool to do this? Does §164.312(c)(2) simply boil down to sufficient access control?Having never had any practical experience with HIPPA, my take on these sections may be different (read "wrong") than others, but the way I read these requirements, they have to do more with ensuring data integrity than *merely* proper access control. If that is their intent, then I would look at access control as providing a necessary, but not sufficient security measure to satisfy these requirements. Consequently, I would think that a mechanism such as HMACs or digital signatures may be appropriate security measures here. -kevin --- Kevin W. Wall CenturyLink / Risk Mgmt / Information Security Kevin.Wall () qwest com Phone: 614.215.4788 Blog: http://off-the-wall-security.blogspot.com/ "There are only 10 types of people in the world...those who can count in binary and those who can't." This communication is the property of Qwest and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.
-- Rohit Sethi SD Elements http://www.sdelements.com twitter: rksethi
_______________________________________________ Secure Coding mailing list (SC-L) SC-L () securecoding org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
Current thread:
- Question about HIPAA Compliance in application development Rohit Sethi (Apr 26)
- Re: Question about HIPAA Compliance in application development Wall, Kevin (Apr 26)
- Re: Question about HIPAA Compliance in application development Rohit Sethi (Apr 26)
- Re: Question about HIPAA Compliance in application development Wall, Kevin (Apr 26)
- Re: Question about HIPAA Compliance in application development Rohit Sethi (Apr 26)
- Re: Question about HIPAA Compliance in application development James Manico (Apr 26)
- Re: Question about HIPAA Compliance in application development Rohit Sethi (Apr 26)
- Re: Question about HIPAA Compliance in application development Chris Schmidt (Apr 26)
- Re: Question about HIPAA Compliance in application development Wall, Kevin (Apr 26)
- Re: Question about HIPAA Compliance in application development Wall, Kevin (Apr 26)