LISTSERV - HP3000-L Archives

HP3000-L Archives

August 2007, Week 3

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L August 2007, Week 3

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: MPE Security Violation error
From:	Arthur H Bahrs <[log in to unmask]>
Reply To:	Arthur H Bahrs <[log in to unmask]>
Date:	Fri, 17 Aug 2007 10:40:02 -0700
Content-Type:	text/plain
Parts/Attachments:	text/plain (95 lines)

Hi Tracy :)
    Sorry gotta be quick answer... the auditor's will ask the quesiton:
"How do you report who can and did view/read/modify/copy/transmit/or
otherwise "access" the data contained in the database during the specified
timeframe?"

    Yes it is harmless enough in some views to release the database but the
rules have changed and HIPAA and SOX both change the access authorization
and reporting of access granting significantly.

    HIPAA requires that you review and re-approve  the authorization every
"time period (usually a yearly thing)" who has been granted access to
information systems and remove the access that is no longer appropriate.

    HIPAA also allows the consumer/owner of PI/PHI to request a report of
who modified thier PI/PHI and some interpet the law to allow the
consumer/owner of PI/PHI to request a roster of who has the ability to see
their PI/PHI and who did view it....

Thanks,
Art
=======================================================
Art Bahrs, CISSP          Corporate Reporting         The Regence Group
(503) 225-4992               Cell 971-244-2459               FAX (503)
220-3806


                                                                           
                "Tracy Pierce"                                             
                <TPierce@GOLDE                                             
                NGATE.ORG>                                              To 
                Sent by:               [log in to unmask]              
                "HP-3000                                                cc 
                Systems                                                    
                Discussion"                                        Subject 
                <HP3000-L@RAVE         Re: [HP3000-L] MPE Security         
                N.UTC.EDU>             Violation error                     
                                                                           
                                                                           
                08/15/2007                                                 
                12:24 PM                                                   
                                                                           
                                                                           
                Please respond                                             
                      to                                                   
                "Tracy Pierce"                                             
                <TPierce@GOLDE                                             
                  NGATE.ORG>                                               
                |------------|                                             
                | [ ] Secure |                                             
                |     E-mail |                                             
                |------------|                                             
                                                                           




someone wrote
> >In this forum we have the bandwidth to pretty much bypass any type of
> >security built into a HP3000 environment. And to see a request posted
from
> >a YAHOO account asking how to get around security just raises the
hackles
and someone wrote
> >Information and help within the community is a good thing.
> >Just have to be sure who we are helping the right people.

both of which seem to be paranoia.  While said expertise ("bandwidth")
may well be in the heads of some list members, the question isn't even
the least bit about how to break the locks (TopSecret!), it's about how
to use the keys (RTFM!).

The (less ambiguous please <big snip but great read, Roy!>) question's
quite fair; the answer is a pretty straightforward combination of basic
MPE & Image rules.

Back to the perceived paranoia though: Will someone explain to me please
why releasing a database is so evil, even in the face of SOX-armed
auditors?  Can they or anyone break into my database (without passwords
or lots of time?)?  Or can I tell them to RTFM, which might keep them
busy until next audit cycle?

Tracy Pierce

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *




***IMPORTANT NOTICE: This communication, including any attachment, contains information that may be confidential or privileged, and is intended solely for the entity or individual to whom it is addressed.  If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message is strictly prohibited.  Nothing in this email, including any attachment, is intended to be a legally binding signature.***

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *

ATOM RSS1 RSS2

RAVEN.UTC.EDU