Anticlue

Security Practices

Ever think that application security is just a shortcut that you can take of later. Or that it might add more to the scope.

A nice and frightening statistic is according to Gartner 75% of the breaches of security occur within the patient management and clinical information systems. And you thought that custom access database was nice and tightly secured, especially since you link it to a paradox palm app.

Since the April 20th HIPAA Security deadline is around the corner, health leaders published a full checklist of items for security. Its actually a good list to look at for developing applications and maintaining security.

1. Does the application create, receive, maintain or transmit electronic Protected Health Information (ePHI)? (For all applications that process ePHI in some way, the entity must pursue responses to the next 15 questions.)
2. Is there a procedure for authorizing, establishing and modifying user access?
3. Does the application possess unique user identification capabilities?
4. Have unique user identification capabilities been activated?
5. Are there generic IDs in use?
6. Does an Emergency Access Procedure exist?
7. Does the application facilitate automatic logoff capability?
8. Is automatic logoff capability enabled?
9. Is there an encryption feature for data "at rest" in databases?
10. Is the application capable of performing audit logging?
11. Is the audit logging function enabled?
12. Are audit logs reviewed on a routine basis?
13. Does the application possess person or entity authentication capabilities?
14. Are person or entity authentication capabilities activated?
15. Is there a method to ensure transmission integrity?
16. Is there a capability to encrypt the transmission?

Here is the final security rule.