[tptacek]

I hate to be the one to break this to you†, but normal people make up almost the entire chain of custody for regulated data. Normal people write your health records. Normal people check them out of databases and read them. Normal people load them into spreadsheets. Normal people generate reports. Businesses do not exist to support super-savvy BOFH's. It is rather the other way around.

† Ok, no I don't

[abofh]

I didn't say they do, but they should hire people competent to make educated decisions in the regulatory environment they're in. That's why they pay bofhs -- not because they like our views, but because we _read_ the specs.

EDIT: To phrase less hostilely -- HIPAA and various finance laws consist of thousands of pages of what to do and what not to do. Dropbox is a shiney webpage that isn't PCI certified or HIPAA certified. If you chose to operate in a business that requires HIPAA/PCI, and used dropbox for that data, _you_ are at fault, not dropbox, not the bofhs, and not the coder. In the case of HIPAA - you would be the criminal.

[ZoFreX]

Friend of mine worked for a drug company, medical data on patients (they were handling the side-effect reports) was just emailed around, and I know they had work documents on their home computer.

[abofh]

I would never be foolish enough to say it _doesn't_ happen, simply that the rules say it _mustn't_ happen. Anyone who ends up complaining that they're forced to disclose because they didn't follow best practices, just learned why they're best practices.

I admit readliy it's mostly the problem of bad luck (being targeted) or careless (losing emailed reports w/ identifying data <g>) - but if and when that drug company gets sued for something like that, guess which side the law will be on?

[kevin_morrill]

HIPAA does not have thousands of pages on what and what not to do. It's actually quite vague, and mostly comes down to fines after the fact. There's also no such thing as a government sanctioned HIPAA certification. There's just random people willing to 'certify' you.

[tptacek]

The HIPAA data security requirements are tiny and largely boil down to "data should be encrypted in transit and at rest and require access control".

http://law.justia.com/cfr/title45/45-1.0.1.3.70.3.33.6.html

[abofh]

Quite right -- a better example is PCI compliance (hundreds of pages IIRC, and several volumes depending on exactly what you're doing; not a law, but similar ramifications if you don't comply);

Still, complying with HIPAA does make one point _very_ clear -- audit controls - Dropbox has none exposed to you, and thus it simply does not comply unless you have your own layer of controls (encryption) on top.

It also seems to fall down under 'Standard: Person or entity authentication' as well, but that's just me being snarky.

Health-care and finance are places with legal (or contractual) obligations -- and that was my main point: if you have a set of rules (or even best practices), and you fall afowl of them, don't go screaming that someone else is to blame.