Hacker News new | ask | show | jobs
by patio11 3588 days ago
We're in the healthcare space so we have to own our hardware and co-locate.

Vendors will say all manner of things regarding how HIPAA compliance requires you to buy their most expensive services, but the HIPAA legislation and related rules are almost silent with regards to implementation requirements that map to actual technologies you could actually use. "Quote me the subsection of the Security Rule you are referring to; it will look like 164.308(a)(5)(ii)(D)." is dispositive of this sort of thing.

That's a real thing, by the way. The requirement, in its entirety: "Do you have procedures for creating, changing, and safeguarding passwords?" Did you see the point where it requires hashing the passwords? No, you didn't, because HIPAA doesn't require hashing passwords. It requires you to have some method of "safeguarding" passwords written down somewhere.

[Edit: Parent has clarified that they're dealing with standard paperwork at clients rather than the legislation itself, which makes sense (and, also, oww).]
1 comments
jabzd 3588 days ago
Pertaining to your edit, apologies for over-simplifying originally. You are absolutely correct that the Security Rule is very very vague. Many HIPAA audits barely reference the Security Rule and instead use stronger rule sets. Unfortunately, HIPAA is generally documentation of policies as opposed to true technical guidance and requirements. We're also an 8 year old SaaS company so many of our agreements pre-date the "cloud" catching up from a complicance perspective. At the speed of healthcare, I imagine it'll take another decade for the industry to realize that an AWS cloud is probably more secure than something a 10 person organization can cobble together.
link
patio11 3587 days ago
A running joke for me is the healthcare providers which are worried whether our firm will use "a database" which "could be hacked" instead of, to make up something which clearly has never been said by anyone regulated in the United States, saving all patient information as drafts in the office manager's hotmail account.
link
leesalminen 3587 days ago
It's just a draft though. If you don't hit send, clearly it's not in a "database".
link
dennisgorelik 3587 days ago
If you saved email draft into Outlook - it is a database.

If your computer is hacked, then attacker would be able to extract information from that Outlook database.

link
leesalminen 3586 days ago
Sorry, my sarcasm did not come off properly :)
link