WebApp Sec mailing list archives
Re: HIPAA security requirements
From: ONEILL David J <David.J.Oneill () state or us>
Date: 15 Jan 2004 15:54:16 -0800
Matt, I work for the State of Oregon as a Web Application Developer and have been to several HIPAA classes <yech>. Because I am employed by the state, I am not a good source for your contract questions. One misnomer is that you can not display patient information, your application can show that information. It is the transfer of information from one environment to another that gets touche. The rule of thumb is that you strip out an information that can pinpoint an individual (SSN, medical ID#, Full Name, Street Address, ...) when transmitting thru unsecured channels. All other information is fair game for transmission. If the data channel is encrypted(64bit or better), no worries. Fortunately for us developers, most of the data security work is the responsibility of the data consumer. They need to make sure no one is looking over their shoulder, grabbing their printouts, sitting in a park under a security camera, so on and so forth. I'm sure you get the picture. Looking into the future, I think that you can rest assured the if you do due security diligence now you should be safe. Clauses such as "warrantied against volnerablities and exploits that are know as of <data>" would most likely cover you for most issues. This way the customer does not get the idea that you are warrantying against what is unknown. Hope this helps, David J. O'Neill Senior Systems Analyst Parkway Bldg., 2nd Floor Phone: (503) 378-2101 ext. 364 FAX: (503) 378-2103
president () sheergenius com 01/15/04 03:13PM >>>
Howdy, I've been lurking on the list now for over a year and wanted to start my first post by thanking everyone out there who has been answering questions and has contributed to all of the wonderful projects I've heard about on the list. My hat is off to all of you for being such talented professionals and still managing to give back to the community with your efforts. Now, on to the feature: I was wondering if anyone has come across any specific requirements that are implicit or even implied by the security-related portions of the HIPAA act, including amendments. As a web application developer, I have to assure my healthcare clients that we will strive to meet HIPAA requirements, but have never come across any document or analysis that tries to bring into focus what precisely that means in the context of database-backed web applications. Some things are obvious: If your app does absolutely anything that could expose patient information to the wrong eyes, that would fall astray. Others are not quite as obvious. Also, after a contract has been completed, if new exploits are discovered, what are the developer's ongoing responsibilities? Is the developer forever obligated to point out new security weaknesses so that the client can opt to hire someone to fix them? If not, where does the liability end? Does anyone know of any such document, discussion, or guidance? Care to start one? I'll help. I should note that my thinking on this was jump-started by the interesting column currently featured on owasp.org by Jeff Williams. I should also note that I could only read what was on that first page, as the link for more of the story seems to be broken right now. Thanks, Matt Kenigson president () sheergenius com
Current thread:
- HIPAA security requirements Matt Kenigson (Jan 15)
- Re: HIPAA security requirements lakewood1 () copper net (Jan 16)
- Re: HIPAA security requirements Clint Bodungen (Jan 16)
- <Possible follow-ups>
- Re: HIPAA security requirements ONEILL David J (Jan 15)
- Re: HIPAA security requirements Matt Kenigson (Jan 16)
- Re: HIPAA security requirements David Nester (Jan 16)
- Re: HIPAA security requirements Matt Kenigson (Jan 16)