Multiple Users - One Server - No BE/FE Required - Help

[Tony Toews [MVP]]

But that's not relevant to HIPAA compliance. They shouldn't be able
to *see* other clients' data -- as soon as they can, you're out of
HIPAA compliance.

But you can block access to the table or query view and, by using
their network login restrict access to only "thier" records so that
should be ok.

Tony
--
Tony Toews, Microsoft Access MVP
Please respond only in the newsgroups so that others can
read the entire thread of messages.
Microsoft Access Links, Hints, Tips & Accounting Systems at
http://www.granite.ab.ca/accsmstr.htm

 

[David W. Fenton]

But you can block access to the table or query view and, by using
their network login restrict access to only "thier" records so
that should be ok.

You're assuming that the user can't download the cracking tools to
get to the data in the back end directly, by breaking Jet user-level
security. Neither of your points apply if ULS is cracked.

 

[bhipwell via AccessMonster.com]

Hello all,

Looks like I opened up a Pandora's box! Anyway, I am running the database
through a terminal server. Each client will have a particular user name and
login that, when opened, automatically opens their specific FE and filters
for only that particular clients data on the BE.

We are not storing any medical information, however, we are working with
health insurance which must abide by HIPAA regulations. The two keys to
HIPAA as it relates to our database is the containment of social security
numbers and birthdays. We have recently decided, these two items will be
left out of our database as for our purpose, they will be one time use data
pieces. Hence, storage of this information is not required. As the program
evolves, this may become an issue again.

Clients will identify their employees by name and/or by provided IDs created
by access. Our terminal server is more than robust having two dual core 4GBs
processors (a little overkill, but nice to have).

As for SOX, take a look at the law firm Fowler, White, Boggs and Banker.
They specialize in this area as well as intellectual property, internet
copywriting, etc. You can find them on the web.

B

 

[David W. Fenton]

We are not storing any medical information, however, we are
working with health insurance which must abide by HIPAA
regulations. The two keys to HIPAA as it relates to our database
is the containment of social security numbers and birthdays. We
have recently decided, these two items will be left out of our
database as for our purpose, they will be one time use data
pieces. Hence, storage of this information is not required. As
the program evolves, this may become an issue again.

If it's only two fields, storing it encrypted would be a good idea,
and having a private key used in the MDEs (or in an external
library) would make it safe from prying eyes who weren't using the
front end. But you would *have* to use an MDE and it would have to
be an encrypted MDE -- other wise, the key would be visible when
browsing the file at the binary level.

 

[Tony Toews [MVP]]

You're assuming that the user can't download the cracking tools to
get to the data in the back end directly, by breaking Jet user-level
security. Neither of your points apply if ULS is cracked.

I would never trust any security system within Access as anyone can
download the MDB and retain it until a security breach could be found.

My comment was made in the context of assuming that bhipwell's
environment is Terminal Server. In which case it would be safe enough
as the user would never have direct access to the backend.

Tony
--
Tony Toews, Microsoft Access MVP
Please respond only in the newsgroups so that others can
read the entire thread of messages.
Microsoft Access Links, Hints, Tips & Accounting Systems at
http://www.granite.ab.ca/accsmstr.htm

 

[dbahooker]

of course, if you were using SQL Server you could merely use the WITH
ENCRYPTION tsql so that they couldn't see the key for decryption


MDB is only used by cripples and retards that don't have the capacity
to learn SQL Server

 

[David W. Fenton]

I would never trust any security system within Access as anyone
can download the MDB and retain it until a security breach could
be found.

My comment was made in the context of assuming that bhipwell's
environment is Terminal Server. In which case it would be safe
enough as the user would never have direct access to the backend.

Huh? How could the users ever edit the back end if they didn't have
access to it? You might not tell them where it is, or you might put
it in a hidden share, but that's only security by obscurity, not
real security, and not sufficient for HIPAA purposes.