[SUMMARY] HIPAA compliance for a DU platform

From: Susan Rodriguez <SUSROD_at_HBSI.COM>
Date: Wed, 29 Apr 1998 14:09:46 -0700

DU Managers,

Thanks to K.M. Peterson and Sudhir Rao for their responses.

Since there are no know viruses for the Digital Unix platform, no one
has invented a way to prevent them.

It also seems very unlikely that an "oracle" virus could ever be loaded
into our databases, since our data submissions are sliced, diced, and
scrutinized as raw data before being imported. And in the event that
"malicious" data made it past our internal processes, it would still
come up against the oracle loader.

How we will deal with a certification requirement that does not really
apply to us is yet to be seen.

If I come across anything more, I will post-summarize.

Thanks again,

susrod_at_hbsi.com


Responses below:

************************************************************************
*********

Hi,

Susan Rodriguez wrote:

> I expect to hear people say that virus scanning is not even a reality
> for the DU platform. If this is the case, how do I deal with the
> requirement from HIPAA? Anyone gone through an industry-standard
> certification like this who can give some sage advice? Anyone dealt
> with HIPAA before?
>

I believe your expectations will be fulfilled.

This is, as far as I know, nonsensical for your installation. As long
as
there is a "firewall" between executable programming on your system and
your
data (which is a good bet, given your description of the process), the
general idea of "virus scanning" is invalid.

However: the closest thing that I can think of, and what might be a good
idea, is to run tripwire. I found a version at:

ftp://coast.cs.purdue.edu/pub/COAST/Tripwire/ .

There are "enterprise" virus scanning tools becoming available; if
you're
hosting CIFS or some other PC filesystem on your alphas (even though
completely unrelated to your databases), they would probably "see" those
spaces as well.

Good Luck!

_KMP

--
K. M. Peterson                                  voice: +1 617 258 0927
<mailto:KMP_at_WI.MIT.EDU>            <http://www-genome.wi.mit.edu/~kmp>
Whitehead Institute/MIT Center for Genome Research
320 Charles Street - Cambridge, MA  02141-2023    fax: +1 617 258 0903
**************************************************************
Hi!
Due to the nature of  UNIX or DUNIX virus's do not exist. Thus there are
no anti viruses on Unix. Virus is more a very "Broad" term used for
programs or users that perform distructive prodecures. 
If a virus exists in Ur data that data will not be loaded into Oracle, 
as the Oracle Loader will reject the row. Oracle  Loader is very specfic
about the type of data it can load. The Control file  defines the data
type. Data that doesn't match that definition will be rejected. 
In order to comply with the HIPPA requirement U will have to scan for
Virus 
data source and not at data destination. Assuming that virus do not exit
on UNIX, U can argue that if checked at source virus will not exits on
the
Destination machine ie UNIX
Hope this helps
SUdhir
On Tue, 28 Apr 1998, Susan Rodriguez wrote:
> DU Managers,
> 
> In order for my systems to become HIPAA compliant (Healthcare
Insurance
> Portability & Accountability Act) I am supposed to do "virus scanning"
> for my data.  My data comes in raw (ascii dumps, etc), churns through
an
> internal procedure, and eventually becomes part of an oracle database.
> I have DU3.2G & 4.0D systems as well as Oracle 7.3.4 and 7.3.2.3.
> 
> I would like to hear from anyone who has dealt with this sort of
thing.
> Is there anything out there that qualifies as "virus scanning"
software
> for my platform.  Better yet, ARE there viruses that affect DU3/4?  I
am
> logging a call with DEC about this, but would also appreciate pointers
> anyone out there has.
> 
> I expect to hear people say that virus scanning is not even a reality
> for the DU platform.  If this is the case, how do I deal with the
> requirement from HIPAA?  Anyone gone through an industry-standard
> certification like this who can give some sage advice?  Anyone dealt
> with HIPAA before?
> 
> TIA
> 
> susrod_at_hbsi.com
> 

Received on Wed Apr 29 1998 - 23:07:37 NZST