Question

To safeguard the privacy of medical information, the Federal Health Insurance Portability and Accountability Act (HIPAA) requires certain measures to be take to ensure the privacy of patient information. Suppose an insurance company holds such information on its insureds: all the records are encrypted and held in a database running on a dedicated server. When someone (a company employee, or an insured via a web interface) asks to see a record, that information is retrieved from the database server, decrypted, and sent to the requester. Describe parts of this information flow that would be susceptible to leaking protected information.

Answer 1

Below are various points that are susceptible to leaking protected information:

1. If an Employee is not correctly validated, someone else's information may be sent to that employee. Steps should be taken to validate the emplooyee.

2. The password if not stored as encrypted may be received in decrypted format along with other records. Steps should be taken to share only minimum required information to the employee/other entity.

3. OE2 Auth protocol to enable security of webservices should be incorporated. There are several document available on the web to incorporate this protocol.

4. Onlly minimum required information and limited amount of records should be limited to shared to insurance entities which is enough for his requirement.

5. Insurance and employees should be validated deeply to ensure that intent of the entities are only to receive information and not comporomise the information.