WebApp Sec mailing list archives
Re: HIPAA security requirements
From: "Clint Bodungen" <clint () secureconsulting com>
Date: Fri, 16 Jan 2004 12:50:58 -0600
Matt, the biggest problem with the technical security-related portion of the HIPAA regs is that almost everything IS implied. It's still basically just nothing more than a broad list of standard "best practices". However, at least they TRY to provide some procedural guidelines by referencing NIST. These are the most current regulatory requirements, which includes NIST quidelines referenced in the regs. http://www.hipaadvisory.com/regs/finalsecurity/index.htm (It's a good HIPAA site as a whole with plenty of information and links to other sources.)
I was wondering if anyone has come across any specific requirements that are implicit or even implied by the security-related portions of the HIPAA act, including amendments. As a web application developer, I have to assure my healthcare clients that we will strive to meet HIPAA requirements, but have never come across any document or analysis that tries to bring into focus what precisely that means in the context of database-backed web applications. Some things are obvious: If your app does absolutely anything that could expose patient information to the wrong eyes, that would fall astray. Others are not quite as obvious. Also, after a contract has been completed, if new exploits are discovered, what are the developer's ongoing responsibilities? Is the developer forever obligated to point out new security weaknesses so that the client can opt to hire someone to fix them? If not, where does the liability end? Does anyone know of any such document, discussion, or guidance? Care to start one? I'll help. Thanks, Matt Kenigson president () sheergenius com
Current thread:
- HIPAA security requirements Matt Kenigson (Jan 15)
- Re: HIPAA security requirements lakewood1 () copper net (Jan 16)
- Re: HIPAA security requirements Clint Bodungen (Jan 16)
- <Possible follow-ups>
- Re: HIPAA security requirements ONEILL David J (Jan 15)
- Re: HIPAA security requirements Matt Kenigson (Jan 16)
- Re: HIPAA security requirements David Nester (Jan 16)
- Re: HIPAA security requirements Matt Kenigson (Jan 16)