William I won't argue with you on this ... but, the original question starting this list had to do with the HHS Security Standard requiring 'technical security mechanisms' for 'integrity control'.
My view is that with the possible exception of nets using a signature mechanism at some level, one really can't isolate as small set of controls and expect them to "ensure[s] the validity of information being electronically transmitted or stored" 142.308(d)(1)(a) My question really had to do with 'compliance', I was curious about how others were dealing with this explicit expectation of the Standard. What I believe you are saying is that technical security mechanisms cannot be guarantors of information 'integrity'. I probably agree, although I don't have such strong feelings on the matter. The issue really is that as, more technical controls are imposed, (by definition I think) usability is reduced. Given the industry's strong bias toward a availability (broadly defined), the non technical security stuff is always going to be important. btw, I do believe (as do Clearswift, Tumbleweed, and a bunch of other vendors) that it is possible to implement technical controls in email systems to reduce / eliminate the 'unintended' cc of messages containing PHI. However, such systems will undoubtedly have a high rate of false positives and therefore will be intrusive to email users ... the usability factor. Bill
begin:vcard n:Pankey;Bill tel;fax:209.754.9135 tel;work:209.754.9130 x-mozilla-html:TRUE url:http://www.tunitas.com org:the Tunitas Group ;http://www.tunitas.com version:2.1 email;internet:[EMAIL PROTECTED] title:consultant adr;quoted-printable:;;PO Box 278=0D=0A6693 Sierra Vista Lookout Road=0D=0A;Mountain Ranch;CA;95246; fn:Pankey, Bill end:vcard To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=Security and enter your email address. <P>The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. Posting of advertisements or other commercial use of this listserv is specifically prohibited.