In terms of laws and regulations, is there a specific bar that has to be met in certain environments like a Law office, or Dentist office? I'm looking for something that says lawyers offices in the state of NC have to implement cryptography or hash checks on all data, have to ssh into remote sessions, yada yada yada. I'm sure there is, I'm just looking for the checklist. Anyone help?


Google is oh so powerful.

4/23/2008 10:32:35 AM

I'm not looking for a best practices list, I'm looking for a list that will shield a dentist office from prosecution, should information be leaked or exposed.


kind of like an osha standard of sorts.

4/23/2008 10:33:46 AM

I bet you won't find the information you're looking for. When I did some research into what the HIPPA requirements were for a database which stored patient data, all I found were generalities and not specific requirements like you're asking for.

If this physicians office stores client data (medical info, SSN, DOB etc) then I'd bet you'll want to look at making sure their data systems are HIPPA compliant. Just a guess, but at least it gives u something else to google

4/23/2008 10:42:22 AM

http://netsecurity.about.com/od/hipaa/News_and_Information_About_HIPAA.htm



holy broken links, batman.



this shit is completely unorganized. I'm having a hard time picking out any useful information.

4/23/2008 10:50:32 AM

http://www.hipaadvisory.com/ezcart/myProducts.cfm?productID=177&display=detail&categoryID=3



wtf this shit costs money?









Okay, here's a decent site, but I'm still having a problem swimming through best practices shit.

http://www.hipaadvisory.com/tech/

It looks like a big fucking list of things you can, or should do.

I need the list of things that MUST be done.

[Edited on April 23, 2008 at 10:56 AM. Reason : grr.]

4/23/2008 10:53:10 AM

I have had to do some research on HIPPA. To sum it up, HIPPA includes a lot of legislation and is very confusing. There are no specific technical requirements such as a level of encryption or that video cameras must be monitoring your data hosting etc. I think the main idea of HIPPA is that your organization is supposed to have documented procedures for how you handle security, and create your own security plan.

That being said, I would pay someone who is a HIPPA specialist for a recommendation.

4/23/2008 10:54:54 AM

^ that helps



it seems pretty asinine that they dont do any kind of standardization of security across the board.

4/23/2008 10:57:22 AM

Quote :

"I need the list of things that MUST be done."

like i said before, i doubt you're going to find this info. i searched for it before too, and was unable to find anything outside of generalities. lemme know if you do find something though, i'd like to see it

4/23/2008 11:05:48 AM

grrr.

4/23/2008 11:27:30 AM

there are some specific hippa standards that must be enforced. I was working in IT when hippa came out so I'm aware of a lot of the standards and how to implement them. shoot me a pm if you'd like a real consult

4/23/2008 11:27:58 AM

http://www.cms.hhs.gov/EducationMaterials/04_SecurityMaterials.asp#TopOfPage

Insofar as crypto or hash checking for attorneys, et. al., to the best of my knowledge there is no legislation on this (thankfully) but it is left up to individual firms to practice due care in handling data.

If you're looking for information about how to help a healtcare practicioner on best practices w.r.t. security, send me a PM with your questions. Not to give a flippant answer, "it depends" will kind of have to suffice for general questions.

4/23/2008 12:15:52 PM

I had to do a job in which the dr. office wanted to do backups to a webserver that wasn't htaccess protected...yeah...I was like...ummm yeah...that 9.95 a year isn't a good investment.

After I did research...if they .htaccess there isn't anything to say that was illegal..unless it was compromsied...which made me say WTF quite a bit.

4/23/2008 12:22:54 PM

lol @ htaccess and hippa


HIPPA is very generalized on purpose - that way it's basically up to the prosecutors and the justice system to interpret what is and is not a violation

4/23/2008 1:13:30 PM

Quote :

"If you're looking for information about how to help a healtcare practicioner on best practices w.r.t. security, send me a PM with your questions. Not to give a flippant answer, "it depends" will kind of have to suffice for general questions."

I'm already familiar with best practices and forming a logical scope for security in a given scenario. I was just trying to make sure there weren't any specific regulations for anything.


I know how to do the job guys, I swear.

4/23/2008 1:41:50 PM

for the most part, just protect the stuff like it was your personal data. use best practices and make things as secure as possible. there are a few rules in specific scenarios, group policy is a big one, but for the most part it's kind of open. encryption everywhere, access control, network segregation, and several backups are the general rules of thumb.

4/25/2008 9:59:39 AM