Having read a great deal of the security reg, I am coming increasingly to the conclusion that the much if not all of the reg can be satisfied automatically. Report generation, audit, key management, etc. etc., these are all things that cry out for automation.
I agree with this. HIPAA does not appear (for now) to be the gut-wrenching monster that many have been assuming, but more a set of protocols of intention and best practices. The tools and methods don't even seem to be unique to HIPAA, either (I could certainly be wrong here) ... but fairly close to good security-oriented server administration.
Denny Adelman
