Thank you to everyone who replied to this thread. It was all very useful.
As to what constitutes an audit trail, I already have some of that in my software and it would not be difficult to add more.
As for forcing people to change passwords: pointless, IMO, since I would never allow people to password anything without giving me the password so I, as a system administrator, can get in and... ahem... audit what they've been doing.
Also IMO, the obsession with security with regard to health records is over the top. I've always been taught that the first principle of devising a security system for data is to evaluate the nature of the threat, and then base the security system on that. If you're dealing with credit card numbers or other financial data, then yes, that stuff faces serious threats that justify almost anything you can do to protect it.
There is very little incentive for people to misuse health data, and no financial incentive that would justify expensive efforts to do so. The only money to be made here might be by stealing Medicare or Medicaid numbers. But this kind of fraud is only--and can only effectively--be perpetrated by crooked medical practitioners. These people already have hundreds or thousands of numbers from their own patients that they can use for fraudulent billing--and those are what they use.
Yes, health information is supposed to be confidential to protect privacy and prevent discrimination. It is highly unlikely that anybody seeking to get information about specific individuals in order to harm them is going to have the capability to get past a reasonable, but not obsessive, security scheme. The individuals most likely to want to use such information to harm people would be the medical/social service people who would ordinarily have access to the information, not the IT people who take care of it. So audit logs are a sufficient mechanism to deal with that; they don't have to be immutable; they just can't have a human interface available to anyone other than the IT people.
In any case, the vast disconnect between the dictionary meaning of "immutable" and what the obsessive people who came up with the requirement think it means is what was throwing me. According to the document that Dan led me to, simply storing multiple copies of the log in different places, such that they likely could not all be altered, would suffice.
That's absurd, of course, if you're really concerned about IT people altering the logs, since they would alter the original and then copy the altered version to the removable media. But I guess the thinking of these people isn't really much different from that of the vendor of the "time-locked" computer folder software who didn't consider what happens if you just set the system clock forward.
Thanks again, everybody, for a great discussion. Ken Dibble www.stic-cil.org _______________________________________________ Post Messages to: [email protected] Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/[email protected] ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
