MS ACCESS security and HIPAA compliance
in [General]
|
From: David W. Fenton on 20 Mar 2010 17:16 Banana <Banana(a)Republic> wrote in news:4BA51A3B.8040301(a)Republic: > Douglas J. Steele wrote: >> I think you'll find the general consensus is that Access is not >> appropriate for HIPAA. >> >> And no, Access security cannot be integrated with Active >> Directory. >> >> On the topic of Access security, be aware that the new ,accdb >> file format in Access 2007 (and Access 2010, which is currently >> in beta) does not support Access security (although it's still >> supported in those versions of Access if the file is left in the >> older .mdb file format) > > FWIW, I did use to work for a company that was bound by HIPAA and > I know of couple others who did likewise. > > The way I understood it, it was OK as long you used Windows > filesystem permissions to keep out the non-users and thus only > those employees who were authorized to work with confidential > documentations. No different from emails containing the same > content, really. This works OK on a user-level. When there's a > question of needing a different access security for data, a > different backend may be a better solution, but that doesn't > preclude Access as a front-end client. This was my understanding, too. Nonetheless, I still wouldn't recommend a Jet/ACE back end for an app that had to comply with HIPAA. -- David W. Fenton http://www.dfenton.com/ usenet at dfenton dot com http://www.dfenton.com/DFA/
From: David W. Fenton on 20 Mar 2010 17:18 Banana <Banana(a)Republic> wrote in news:4BA51B0D.5090208(a)Republic: > Have a look at www.accesssecurityblog.com So Tom, when are we going to get more on the blog? -- David W. Fenton http://www.dfenton.com/ usenet at dfenton dot com http://www.dfenton.com/DFA/
From: Arvin Meyer [MVP] on 20 Mar 2010 23:01 While Access cannot be integrated with Active Directory, it can be integrated with windows login. I do have an Access app which uses a Terminal Server to allow connection to Jet data. It is HIPAA compliant, and has been certified as such by a 3rd party auditor. It is virtually impossible (notice I said "virtually") to get to any data that you are not allowed to see. At least no one including the MCSE that helped me set it up, and the auditors have been able to get in. When logging in the app opens to your data. If you close Access, there's a single shortcut to reopen it. Nothing else, and no way to get anywhere else. Ten minutes of inactivity, shuts down the app and boots you out of the system. It has been used successfully for about 2 years now. This app happens to be an MDE, but would probably work just as well as an ACCDE. That hasn't been tested though. It does not use Access security at all, but does make heavy use of Active Directory security and Group Policies. -- Arvin Meyer, MCP, MVP http://www.datastrat.com http://www.accessmvp.com http://www.mvps.org/access "Douglas J. Steele" <NOSPAM_djsteele(a)NOSPAM_gmail.com> wrote in message news:e6hMJVFyKHA.2552(a)TK2MSFTNGP04.phx.gbl... >I think you'll find the general consensus is that Access is not appropriate >for HIPAA. > > And no, Access security cannot be integrated with Active Directory. > > On the topic of Access security, be aware that the new ,accdb file format > in Access 2007 (and Access 2010, which is currently in beta) does not > support Access security (although it's still supported in those versions > of Access if the file is left in the older .mdb file format) > > -- > Doug Steele, Microsoft Access MVP > http://I.Am/DougSteele > (no e-mails, please!) > > > > "frank" <frankjlinden(a)yahoo.com> wrote in message > news:b1bf4277-a22a-4618-959c-5e1a6f3d6b56(a)q21g2000yqm.googlegroups.com... >>I have just begun work for a health care entity which uses MS Access >> for all their client data. >> The User interfaces are all standard Access Forms and Pages deployed >> over the Lan using Share Permissions. >> I will soon begin the task of consolidating and securing these various >> databases and the solution must be compliant with HIPAA regulations >> for securing Private Health Information. Can anyone please offer any >> basic suggestions that I can pursue to properly secure my Access >> databases in this environment? >> Also, can Access security be integrated with Active Directory like >> MSSQL? >> >> Thank You. >
From: kc-mass on 20 Mar 2010 23:43 Thought I sent this earlier but don't see it so: Two years ago I worked a contract with a company that processed tons of HIPAA data. They wanted everything in Access. Two weeks after I got there some outside auditors showed up. Very quickly we moved all back ends to SQL Server Express. Access security is fine for the usual curious user but is not for fending off criminals. There is a lot of info on the web on what HIPPA dictates vis a vis info security. You will want to look at that before you start down an access or any other path with the data. If it is Medicare or Medicade data it's even more stringent. Some suggest that you need to log every view of any med record by user. Be Careful Regards Kevin "frank" <frankjlinden(a)yahoo.com> wrote in message news:b1bf4277-a22a-4618-959c-5e1a6f3d6b56(a)q21g2000yqm.googlegroups.com... >I have just begun work for a health care entity which uses MS Access > for all their client data. > The User interfaces are all standard Access Forms and Pages deployed > over the Lan using Share Permissions. > I will soon begin the task of consolidating and securing these various > databases and the solution must be compliant with HIPAA regulations > for securing Private Health Information. Can anyone please offer any > basic suggestions that I can pursue to properly secure my Access > databases in this environment? > Also, can Access security be integrated with Active Directory like > MSSQL? > > Thank You.
From: david on 21 Mar 2010 22:44 Users should not have access to Windows Explorer, or the Command Line, or any general-purpose software, on the system which allows them access to the data. You can do that by using Terminal Services, or Virtual PC, or dedicated workstations. Those are general rules for HIPAA anyway, but this stuff is gradually being tightened up: 10 years ago you would have gotten away with just having policies about proper workstation use, now it's back to expecting enforceable 'green screen' security, not just supervision. I wouldn't expect everyone to have 'green screen' style workstation security at this point, but the world is heading that way, so if you are thinking about security now, now is the time to put in place the correct systems. (david) "frank" <frankjlinden(a)yahoo.com> wrote in message news:b1bf4277-a22a-4618-959c-5e1a6f3d6b56(a)q21g2000yqm.googlegroups.com... >I have just begun work for a health care entity which uses MS Access > for all their client data. > The User interfaces are all standard Access Forms and Pages deployed > over the Lan using Share Permissions. > I will soon begin the task of consolidating and securing these various > databases and the solution must be compliant with HIPAA regulations > for securing Private Health Information. Can anyone please offer any > basic suggestions that I can pursue to properly secure my Access > databases in this environment? > Also, can Access security be integrated with Active Directory like > MSSQL? > > Thank You.
First
|
Prev
|
Next
|
Last
Pages: 1 2 3 Prev: sofie s ønske liste 2010 Next: Unable to send email in HTML format |