On 1/10/13 10:14 AM, Ken Dibble wrote: > I'm researching health data security issues and came across a requirement for > "immutable" electronic audit trails. > > The people who write these standards can't be serious, can they? There is no > such > thing as immutable electronic data. Are they really dumb enough to assume > that the > data is "immutable" if you only provide read-only access to it through your > software, > or set the read-only bit on the files? > > The only relevant electronic "solution" I've seen for this appears to be some > sort of > "lockbox" software that can be applied to a folder. It operates like a safe > with a > time-lock. You could, I suppose, periodically copy audit data to that folder > where it > can't be modified or deleted, allegedly by anyone including the person who > set the > time, until the time expires. So what happens if you reset the system clock? > > Seriously... has anyone dealt with this requirement? What is actually > necessary to > comply with it?
I bet storing a SHA hash of each audit entry would suffice. Then validation could regularly choose audit entries at random, re-hash, and compare, proving that the values didn't mutate. Paul _______________________________________________ Post Messages to: [email protected] Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/[email protected] ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
