Thanks Kevin and those who answered me off-list. It sounds like people generally deal with this through techniques outside of the application logic itself such as checksums and/or digital signatures on files / database values that contain protected health information. My initial thought was that databases would offer some kind of integrity check feature and that seems to be the feeling from people on the list as well.
Has anyone actually implemented this kind of control *within* custom application logic? For example, verifying the integrity of stored protected health data by (for example) checking that a digital signature is valid before displaying it back to the user? On Tue, Apr 26, 2011 at 8:57 AM, Wall, Kevin <kevin.w...@qwest.com> wrote: > Rohit, > You wrote: > > Has anyone had to deal with the following HIPAA compliance requirements > > within a custom application before: > > > > §164.312(c)(2) > > Implement electronic mechanisms to corroborate that electronic > > protected health information has not been altered or destroyed in > > an unauthorized manner. > > > > §164.312(e)(2)(i) > > Implement security measures to ensure that electronically transmitted > > electronic protected health information is not improperly modified > > without detection until disposed of. > > > > How have you actually implemented these controls in applications? Have > > you used a third party tool to do this? Does §164.312(c)(2) simply > > boil down to sufficient access control? > > Having never had any practical experience with HIPPA, my take on these > sections > may be different (read "wrong") than others, but the way I read these > requirements, > they have to do more with ensuring data integrity than *merely* proper > access > control. > > If that is their intent, then I would look at access control as providing a > necessary, but not sufficient security measure to satisfy these > requirements. > > Consequently, I would think that a mechanism such as HMACs or digital > signatures > may be appropriate security measures here. > > -kevin > --- > Kevin W. Wall CenturyLink / Risk Mgmt / Information Security > kevin.w...@qwest.com Phone: 614.215.4788 > Blog: http://off-the-wall-security.blogspot.com/ > "There are only 10 types of people in the world...those who can count > in binary and those who can't." > > This communication is the property of Qwest and may contain confidential or > privileged information. Unauthorized use of this communication is strictly > prohibited and may be unlawful. If you have received this communication > in error, please immediately notify the sender by reply e-mail and destroy > all copies of the communication and any attachments. > -- Rohit Sethi SD Elements http://www.sdelements.com twitter: rksethi
_______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________