Re: Question about HIPAA Compliance in application development

[Rohit Sethi <rklists () gmail com>]

Thanks Kevin and those who answered me off-list.

It sounds like people generally deal with this through techniques outside of
the application logic itself such as checksums and/or digital signatures on
files / database values that contain protected health information.  My
initial thought was that databases would offer some kind of integrity check
feature and that seems to be the feeling from people on the list as well.

Has anyone actually implemented this kind of control *within* custom
application logic? For example, verifying the integrity of stored protected
health data by (for example) checking that a digital signature is valid
before displaying it back to the user?

On Tue, Apr 26, 2011 at 8:57 AM, Wall, Kevin <Kevin.Wall () qwest com> wrote:

> Rohit,
> You wrote:
> > Has anyone had to deal with the following HIPAA compliance requirements
> > within a custom application before:
> >
> > §164.312(c)(2)
> > Implement electronic mechanisms to corroborate that electronic
> > protected health information has not been altered or destroyed in
> > an unauthorized manner.
> >
> > §164.312(e)(2)(i)
> > Implement security measures to ensure that electronically transmitted
> > electronic protected health information is not improperly modified
> > without detection until disposed of.
> >
> > How have you actually implemented these controls in applications? Have
> > you used a third party tool to do this? Does §164.312(c)(2) simply
> > boil down to sufficient access control?
>
> Having never had any practical experience with HIPPA, my take on these
> sections
> may be different (read "wrong") than others, but the way I read these
> requirements,
> they have to do more with ensuring data integrity than *merely* proper
> access
> control.
>
> If that is their intent, then I would look at access control as providing a
> necessary, but not sufficient security measure to satisfy these
> requirements.
>
> Consequently, I would think that a mechanism such as HMACs or digital
> signatures
> may be appropriate security measures here.
>
> -kevin
> ---
> Kevin W. Wall           CenturyLink / Risk Mgmt / Information Security
> Kevin.Wall () qwest com    Phone: 614.215.4788
> Blog: http://off-the-wall-security.blogspot.com/
> "There are only 10 types of people in the world...those who can count
> in binary and those who can't."
>
> This communication is the property of Qwest and may contain confidential or
> privileged information. Unauthorized use of this communication is strictly
> prohibited and may be unlawful.  If you have received this communication
> in error, please immediately notify the sender by reply e-mail and destroy
> all copies of the communication and any attachments.



-- 
Rohit Sethi
SD Elements
http://www.sdelements.com
twitter: rksethi

_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________