Databases Reference
In-Depth Information
rity, secure transfer through cryptography, key management, and secure
storage. All of these requirements map intuitively to elements within the
database and topics that you have seen in previous chapters.
11.2.1
Use “reverse mappings”
Because of the complexities of these regulations, because they often deal
with a wide array of topics that address broader issues than just the techni-
cal ones, and because the language used within these regulations leaves a
lot to interpretation, it is often easier and more efficient to do a “reverse
mapping.” In a reverse mapping exercise you start out with a list of secu-
rity and auditing provisions that you have implemented, are implement-
ing, or plan to implement, and that hopefully include the various topics
discussed in Chapters 1 through 10. You then check off items in the regu-
lations that these security best practices cover. Couple that with auditing
implementations based on Chapters 12 and 13, and you get a reverse map-
ping that normally addresses most of the requirements in terms of the
database infrastructure.
The nice thing with a reverse mapping approach is the ease with which
it satisfies a lot of these regulations. Some HIPAA examples include the
following:
You implement user-based and role-based privileges in your database
and you might also have some context-related mechanisms, that help
you identify the end user (in addition to the database user) such as
those seen in Chapter 6.
Such definitions map well to the security
rule in section 142.308, which defines access controls as methods of
controlling and restricting access to prevent unauthorized access to
information. The rule states that CEs must provide one of three
access controls: user-based, role-based, or context-based.
The minimum requirement for privacy is that role-based access
requires policies and procedures that identify the person or class of
person within the CE that needs access to the protected health infor-
mation. This maps well to your authentication scheme and identifica-
tion mechanisms discussed in Chapters 4 and 6.
Audit trails are required and defined as “the data collected and poten-
tially used in a security audit,” and audit controls are defined as
“mechanisms employed to examine and record system activity.”
Search WWH ::
Custom Search