Using social security numbers for authorizing access |
 |
EXPERT RESPONSE FROM: Kevin Beaver
|
|
|
|
| > |
QUESTION POSED ON: 05 March 2003
I am a senior security analyst in a large health care software company. I have a user that was using FTP to connect to a client, server to server. The client requested the user's social security number in order to allow access. This was because (the client said) of HIPAA (and RACF Mainframe Security)restriction. Any thoughts on this scenario?
|
|
| > |
If I understand your question correctly, I'm not aware of any HIPAA
mandate that states a social security number must be used for client
access. If anything, HIPAA mandates protecting SSNs and requires the
minimum amount of protected health information necessary to get the job
done. This can be used, but if it is determined during a risk assessment
that threats or vulnerabilities exist in transmitting a SSN (or any
confidential info) across a FTP, or any data communications, session,
then certain systems must be in place to protect that information (i.e.
encryption, authentication, etc.).
For more information on this topic, visit these other SearchSecurity.com resources:
Best Web Links: Health Care/Health Services Security
Ask the Expert: Encrypting e-mail and what is considered confidential under HIPAA
Ask the Expert: HIPAA compliance for company building health care application
|
|
|
|
|
|
|
|
Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and
answer pairs from more than 250 TechTarget industry experts.
|
|
|
|
|
|
|
|
|
|
|
|
