William

I won't argue with you on this ... but, the original question starting
this list had to do with the HHS Security Standard requiring 'technical
security mechanisms' for 'integrity control'.  

My view is that with the possible exception of nets using a signature
mechanism at some level, one really can't isolate as small set of
controls and expect them to "ensure[s] the validity of information being
electronically transmitted or stored" 142.308(d)(1)(a)   My question
really had to do with 'compliance', I was curious about how others were
dealing with this explicit expectation of the Standard.   

What I believe you are saying is that technical security mechanisms
cannot be guarantors of information 'integrity'.  I probably agree,
although I don't have such strong feelings on the matter.   The issue
really is that as, more technical controls are imposed, (by definition I
think) usability is reduced.  Given the industry's strong bias toward a
availability (broadly defined), the non technical security stuff is
always going to be important.    

btw, I do believe (as do Clearswift, Tumbleweed, and a bunch of other
vendors) that it is possible to implement technical controls in email
systems to reduce / eliminate the 'unintended' cc of messages 
containing PHI.  However, such systems will undoubtedly have a high rate
of false positives and therefore will be intrusive to email users ...
the usability factor. 

Bill
begin:vcard 
n:Pankey;Bill
tel;fax:209.754.9135
tel;work:209.754.9130
x-mozilla-html:TRUE
url:http://www.tunitas.com
org:the Tunitas Group ;http://www.tunitas.com
version:2.1
email;internet:[EMAIL PROTECTED]
title:consultant
adr;quoted-printable:;;PO Box 278=0D=0A6693 Sierra Vista Lookout Road=0D=0A;Mountain Ranch;CA;95246;
fn:Pankey, Bill
end:vcard


To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=Security
and enter your email address.

<P>The WEDI SNIP listserv to which you are subscribed is not moderated.  The
discussions on this listserv therefore represent the views of the individual
participants, and do not necessarily represent the views of the WEDI Board of
Directors nor WEDI SNIP.  If you wish to receive an official opinion, post
your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/.
Posting of advertisements or other commercial use of this listserv is
specifically prohibited.

Reply via email to