The nearest I've seen to immutable electronic data are the TPM's (Tamper
Proof Modules) used by banks to hold ATM software. They are hardened
steel boxes with several layers of very sophisticated self-destruct
anti-tampering hardware, are transported in securely guarded vehicles
and installed in ATMs which themselves have the same security level as a
good commercial safe.
AndyD 8-)#
On 10/01/2013 23:44, Ken Dibble wrote:
I'm researching health data security issues and came across a
requirement for "immutable" electronic audit trails.
The people who write these standards can't be serious, can they? There
is no such thing as immutable electronic data. Are they really dumb
enough to assume that the data is "immutable" if you only provide
read-only access to it through your software, or set the read-only bit
on the files?
The only relevant electronic "solution" I've seen for this appears to
be some sort of "lockbox" software that can be applied to a folder. It
operates like a safe with a time-lock. You could, I suppose,
periodically copy audit data to that folder where it can't be modified
or deleted, allegedly by anyone including the person who set the time,
until the time expires. So what happens if you reset the system clock?
Seriously... has anyone dealt with this requirement? What is actually
necessary to comply with it?
Thanks.
Ken Dibble
www.stic-cil.org
[excessive quoting removed by server]
_______________________________________________
Post Messages to: [email protected]
Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox
OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech
Searchable Archive: http://leafe.com/archives/search/profox
This message:
http://leafe.com/archives/byMID/profox/[email protected]
** All postings, unless explicitly stated otherwise, are the opinions of the
author, and do not constitute legal or medical advice. This statement is added
to the messages for those lawyers who are too stupid to see the obvious.
