Hacker News new | ask | show | jobs
by PH95VuimJjqBqy 925 days ago
> I work as a subcontractor for a federal contractor in healthcare, and I can see all of them if I wanted to. We just don't.

I also work in healthcare, I'd like to see you make that request.

edit: To draw an analogy. you may work for a credit bureau but if you start requesting records for celebrities you're not going to be working there for very long.

I've _built_ the systems put in place to limit and monitor for these sorts of activities in healthcare specifically as a result of the liability it puts the company under due to federal regulation.
2 comments
FireBeyond 925 days ago
Then you would know that HIPAA allows for one subset of the above, health information to be shared for treatment purposes even without patient authorization, as long as reasonably safeguarded.

I'm not saying that encapsulates everything that person says. But "reasonable safeguards" absolutely include a lot of the things you say are unacceptable.

I worked for a company that built claims benefits management systems, including one for SAG-AFTRA. Notably, that one, because they were about the only customer who was absolutely militant about lockdown of access to data (because it would show celebrity healthcare claims).

Actually, the biggest challenge we had was from our customers wanting to do data mining that was federally illegal (like looking at familial healthcare data to determine predisposition for a covered person for a certain condition).

link
PH95VuimJjqBqy 925 days ago
what the person said was "we could access any data we want, we just don't".

There's no way they fall under one of those exemptions, especially if they don't need it to do their job. If anything, the statement "we just don't" is indicative that they wouldn't fall under those exemptions.

But really the point was that this stuff is heavily regulated. If a company isn't following those regulations that's going to bite them in the ass eventually.

Typically speaking, you can convince auditors of a lot of things but it only takes getting the wrong auditor for it to all go down hill.

link
lannisterstark 925 days ago
>I'd like to see you make that request.

Cute of you to think that there's a 'request' part. My point was that we do need to check them to see if x site/app/tab is working or not after patching. It's part of our job.

Edit: I think the confusion here might be you're thinking US Federal. I am not.

link
PH95VuimJjqBqy 925 days ago
HIPAA has requirements for logs and that includes logging access to data. What company is this that isn't following those regulations such that you can crack open raw logs at any time?
link
lotsoweiners 925 days ago
But what if this person has direct access to the database? I’m a developer for my local government and have direct read/write access to many system’s production data. I could not only read but also update important info about people without going through an application all while logged in as the applications SQL ID. In fact I have to do this to handle tickets that are caused by limitations in the system.
link
PH95VuimJjqBqy 924 days ago
the reality is that someone, somewhere, is going to have access like this. Depending on the industry and the type of data there's typically a separation of concerns.

For example, if you can get code into production you cannot have access to production data and vice-versa.

You'll also see data in different databases where no one has access to both. You'll also see things like this with the use of encryption keys, such as KEK vs DEK where no system has access to both.

https://security.stackexchange.com/questions/93886/dek-kek-a....

typically speaking these compliance frameworks will have exemptions for "business need" and companies will try to drive a semi-truck through that hole. Whether they get away with it depends on multiple factors such as the size of the company and the auditor's mood.

It's almost like being "too big to fail". I have seen some absolutely heinous setups surrounding compliance related data that was allowed via "business need" because pulling that rug would cause the entire company to stop functioning. Generally when companies do things like this and they get to that size they'll spend years rectifying the problem because auditors will start giving them the stink-eye or they'll actually hire people who aren't comfortable with what they're doing.

it's all very messy, but don't assume that just because you have that kind of access that you should (and don't assume the reverse either). Without knowing more about what you do I couldn't say.

But for sure the other poster went quiet when I asked who the company was because they're fully aware they're on shaky ground. Which was my point in making that statement.

link
lannisterstark 923 days ago
>But for sure the other poster went quiet when I asked who the company was because they're fully aware they're on shaky ground.

No. It had nothing to do with 'shaky grounds.' I do what my job requires me to do.

I didn't respond because I didn't want you to potentially doxx me. Why would I reveal the company name where I work?

That being said, post your passport details here. If you don't, you're obviously a criminal on shaky grounds with the law. If you weren't, you obviously would have no problems doing so.

See how that works?

link
PH95VuimJjqBqy 922 days ago
that's an excuse, if you as a contractor has direct access to raw logs with that sort of data in it the company is at risk.

That is the truth regardless of your claims about why you won't reveal the company name.

link