Rohit, You wrote: > Has anyone had to deal with the following HIPAA compliance requirements > within a custom application before: > > §164.312(c)(2) > Implement electronic mechanisms to corroborate that electronic > protected health information has not been altered or destroyed in > an unauthorized manner. > > §164.312(e)(2)(i) > Implement security measures to ensure that electronically transmitted > electronic protected health information is not improperly modified > without detection until disposed of. > > How have you actually implemented these controls in applications? Have > you used a third party tool to do this? Does §164.312(c)(2) simply > boil down to sufficient access control?
Having never had any practical experience with HIPPA, my take on these sections may be different (read "wrong") than others, but the way I read these requirements, they have to do more with ensuring data integrity than *merely* proper access control. If that is their intent, then I would look at access control as providing a necessary, but not sufficient security measure to satisfy these requirements. Consequently, I would think that a mechanism such as HMACs or digital signatures may be appropriate security measures here. -kevin --- Kevin W. Wall CenturyLink / Risk Mgmt / Information Security kevin.w...@qwest.com Phone: 614.215.4788 Blog: http://off-the-wall-security.blogspot.com/ "There are only 10 types of people in the world...those who can count in binary and those who can't." This communication is the property of Qwest and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments. _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________