Hi Tracy :)
Sorry gotta be quick answer... the auditor's will ask the quesiton:
"How do you report who can and did view/read/modify/copy/transmit/or
otherwise "access" the data contained in the database during the specified
timeframe?"
Yes it is harmless enough in some views to release the database but the
rules have changed and HIPAA and SOX both change the access authorization
and reporting of access granting significantly.
HIPAA requires that you review and re-approve the authorization every
"time period (usually a yearly thing)" who has been granted access to
information systems and remove the access that is no longer appropriate.
HIPAA also allows the consumer/owner of PI/PHI to request a report of
who modified thier PI/PHI and some interpet the law to allow the
consumer/owner of PI/PHI to request a roster of who has the ability to see
their PI/PHI and who did view it....
Thanks,
Art
=======================================================
Art Bahrs, CISSP Corporate Reporting The Regence Group
(503) 225-4992 Cell 971-244-2459 FAX (503)
220-3806
"Tracy Pierce"
<TPierce@GOLDE
NGATE.ORG> To
Sent by: [log in to unmask]
"HP-3000 cc
Systems
Discussion" Subject
<HP3000-L@RAVE Re: [HP3000-L] MPE Security
N.UTC.EDU> Violation error
08/15/2007
12:24 PM
Please respond
to
"Tracy Pierce"
<TPierce@GOLDE
NGATE.ORG>
|------------|
| [ ] Secure |
| E-mail |
|------------|
someone wrote
> >In this forum we have the bandwidth to pretty much bypass any type of
> >security built into a HP3000 environment. And to see a request posted
from
> >a YAHOO account asking how to get around security just raises the
hackles
and someone wrote
> >Information and help within the community is a good thing.
> >Just have to be sure who we are helping the right people.
both of which seem to be paranoia. While said expertise ("bandwidth")
may well be in the heads of some list members, the question isn't even
the least bit about how to break the locks (TopSecret!), it's about how
to use the keys (RTFM!).
The (less ambiguous please <big snip but great read, Roy!>) question's
quite fair; the answer is a pretty straightforward combination of basic
MPE & Image rules.
Back to the perceived paranoia though: Will someone explain to me please
why releasing a database is so evil, even in the face of SOX-armed
auditors? Can they or anyone break into my database (without passwords
or lots of time?)? Or can I tell them to RTFM, which might keep them
busy until next audit cycle?
Tracy Pierce
* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *
***IMPORTANT NOTICE: This communication, including any attachment, contains information that may be confidential or privileged, and is intended solely for the entity or individual to whom it is addressed. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message is strictly prohibited. Nothing in this email, including any attachment, is intended to be a legally binding signature.***
* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *
|