MS ACCESS security and HIPAA compliance

[frank]

I have just begun work for a health care entity which uses MS Access
for all their client data.
The User interfaces are all standard Access Forms and Pages deployed
over the Lan using Share Permissions.
I will soon begin the task of consolidating and securing these various
databases and the solution must be compliant with HIPAA regulations
for securing Private Health Information. Can anyone please offer any
basic suggestions that I can pursue to properly secure my Access
databases in this environment?
Also, can Access security be integrated with Active Directory like
MSSQL?

Thank You.

 

[Douglas J. Steele]

I think you'll find the general consensus is that Access is not appropriate
for HIPAA.

And no, Access security cannot be integrated with Active Directory.

On the topic of Access security, be aware that the new ,accdb file format in
Access 2007 (and Access 2010, which is currently in beta) does not support
Access security (although it's still supported in those versions of Access
if the file is left in the older .mdb file format)

 

[Guest]

"frank" <[email protected]> a écrit dans le message de groupe de
discussion :
(e-mail address removed)...

 

[Banana]

I think you'll find the general consensus is that Access is not
appropriate for HIPAA.

And no, Access security cannot be integrated with Active Directory.

On the topic of Access security, be aware that the new ,accdb file
format in Access 2007 (and Access 2010, which is currently in beta) does
not support Access security (although it's still supported in those
versions of Access if the file is left in the older .mdb file format)

FWIW, I did use to work for a company that was bound by HIPAA and I know
of couple others who did likewise.

The way I understood it, it was OK as long you used Windows filesystem
permissions to keep out the non-users and thus only those employees who
were authorized to work with confidential documentations. No different
from emails containing the same content, really. This works OK on a
user-level. When there's a question of needing a different access
security for data, a different backend may be a better solution, but
that doesn't preclude Access as a front-end client.

 

[Banana]

I have just begun work for a health care entity which uses MS Access
for all their client data.
The User interfaces are all standard Access Forms and Pages deployed
over the Lan using Share Permissions.
I will soon begin the task of consolidating and securing these various
databases and the solution must be compliant with HIPAA regulations
for securing Private Health Information. Can anyone please offer any
basic suggestions that I can pursue to properly secure my Access
databases in this environment?
Also, can Access security be integrated with Active Directory like
MSSQL?

Thank You.

Have a look at www.accesssecurityblog.com

Please be aware this is an effective solution for controlling access to
objects within an Access database in conjuncture with compiling the file
into a MDE/ACCDE, but this is not appropriate for securing data itself
if it is stored in an Access file. Unless you are content with using
Windows filesystem permission to keep out nonusers, consider using SQL
Server Express, MySQL, PostgreSQL, whatever to secure your data.

HTH.

 

[David W. Fenton]

FWIW, I did use to work for a company that was bound by HIPAA and
I know of couple others who did likewise.

The way I understood it, it was OK as long you used Windows
filesystem permissions to keep out the non-users and thus only
those employees who were authorized to work with confidential
documentations. No different from emails containing the same
content, really. This works OK on a user-level. When there's a
question of needing a different access security for data, a
different backend may be a better solution, but that doesn't
preclude Access as a front-end client.

This was my understanding, too.

Nonetheless, I still wouldn't recommend a Jet/ACE back end for an
app that had to comply with HIPAA.

 

[David W. Fenton]

Have a look at www.accesssecurityblog.com

So Tom, when are we going to get more on the blog?

 

[Arvin Meyer [MVP]]

While Access cannot be integrated with Active Directory, it can be
integrated with windows login.

I do have an Access app which uses a Terminal Server to allow connection to
Jet data. It is HIPAA compliant, and has been certified as such by a 3rd
party auditor. It is virtually impossible (notice I said "virtually") to get
to any data that you are not allowed to see. At least no one including the
MCSE that helped me set it up, and the auditors have been able to get in.

When logging in the app opens to your data. If you close Access, there's a
single shortcut to reopen it. Nothing else, and no way to get anywhere else.
Ten minutes of inactivity, shuts down the app and boots you out of the
system. It has been used successfully for about 2 years now.

This app happens to be an MDE, but would probably work just as well as an
ACCDE. That hasn't been tested though. It does not use Access security at
all, but does make heavy use of Active Directory security and Group
Policies.

 

[kc-mass]

Thought I sent this earlier but don't see it so:

Two years ago I worked a contract with a company that processed tons of
HIPAA data. They wanted everything in Access. Two weeks after I got there
some outside auditors showed up. Very quickly we moved all back ends to SQL
Server Express. Access security is fine for the usual curious user but is
not for fending off criminals.

There is a lot of info on the web on what HIPPA dictates vis a vis info
security. You will want to look at that before you start down an access or
any other path with the data. If it is Medicare or Medicade data it's even
more stringent. Some suggest that you need to log every view of any med
record by user.

Be Careful

Regards

Kevin

 

[david]

Users should not have access to Windows Explorer, or the
Command Line, or any general-purpose software, on the
system which allows them access to the data. You can do
that by using Terminal Services, or Virtual PC, or dedicated
workstations.

Those are general rules for HIPAA anyway, but this stuff is gradually
being tightened up: 10 years ago you would have gotten away with just
having policies about proper workstation use, now it's back to
expecting enforceable 'green screen' security, not just supervision.

I wouldn't expect everyone to have 'green screen' style workstation
security at this point, but the world is heading that way, so if you
are thinking about security now, now is the time to put in place
the correct systems.

(david)

 

[hepei]

Users should not have access to Windows Explorer, or the
Command Line, or any general-purpose software, on the
system which allows them access to the data. You can do
that by using Terminal Services, or Virtual PC, or dedicated
workstations.

Those are general rules for HIPAA anyway, but this stuff is gradually
being tightened up: 10 years ago you would have gotten away with just
having policies about proper workstation use, now it's back to
expecting enforceable 'green screen' security, not just supervision.

I wouldn't expect everyone to have 'green screen' style workstation
security at this point, but the world is heading that way, so if you
are thinking about security now, now is the time to put in place
the correct systems.

(david)

 

[bob alston]

Arvin Meyer - thank you for your post above. Would you mind elaborating on what security measures you took for the Access front end that runs with Terminal Server? Also, is the back end in Access or another database?
Thank you
Bob

 

[bob alston]

@arvin Meyer
Would you please post more specifics on the steps you took to secure your application that passed a HIPAA audit?
Thanks
Bob