简体繁体 English

会员提供商和HIPAA合规性

[英]Membership Providers and HIPAA Compliance

原文 2009-07-30 17:19:22 9 3 c#/ asp.net/ membership-provider/ hipaa

Does anyone know if the provided SQL and Active Directory Membership Providers in ASP.NET 2.0+ are HIPAA compliant? 有谁知道ASP.NET 2.0+中提供的SQL和Active Directory成员资格提供程序是否符合HIPAA标准？

Clarification: 澄清：

I understand that HIPAA mandates patient information be secured and that certain policies be put in place to secure access to that information. 据我所知，HIPAA要求保护患者信息，并制定某些政策以确保对该信息的访问。 Can Microsoft's SQL and AD Membership Providers be used for handling the authentication of users accessing this information? Microsoft的SQL和AD成员资格提供程序是否可用于处理访问此信息的用户的身份验证？ I expect there to be some policies that need to be established like password length and complexity but is there anything inherit about the way they store information that would invalidate them for the purposes of authorization? 我希望有一些政策需要建立，比如密码长度和复杂性，但是有没有任何关于它们存储信息的方式的继承，这些信息会使授权无效？ Any gotchas or things to look out for? 任何陷阱或事物需要注意？

3 个解决方案

It depends on what you want to do with them, but in short, yes. 这取决于你想用它们做什么，但简而言之，是的。 HIPAA is all about standards for securing your data; HIPAA是关于保护数据的标准; the standards aren't particularly harsh, so long as you have a way in place to provide for security. 只要你有办法提供安全保障，标准就不会特别苛刻。 In that way, it's a lot like ISO 9001; 就这样，它很像ISO 9001; so long as you define a security policy and stick with it, you're okay. 只要你定义一个安全策略并坚持下去，你就可以了。 The mentioned providers are effectively tools. 提到的提供者是有效的工具。

That said, you may need to do some additional things with your data to assure that it's only clearly accessible from your application; 也就是说，您可能需要对数据进行一些额外的操作，以确保只能从您的应用程序中清楚地访问它; some level of pre-encryption would probably be appropriate. 某种程度的预加密可能是合适的。 Just understand that it probably doesn't need to be HEAVY encryption; 只是明白它可能不需要重的加密; very light would do, so long as you're consistent with the application of it. 只要你与它的应用一致，它就会很轻松。

I sure hope it is;) We currently use the 2.0 Membership Provider with an ADAM LDAP at the health insurance company that I work for. 我当然希望它是;）我们目前在我工作的健康保险公司使用2.0会员提供商和ADAM LDAP。 HIPAA and PHI are the name of the game here and this set up went through our legal department. HIPAA和PHI是这里游戏的名称，这个设置通过我们的法律部门。

I'd say that out of the box, it is not HIPAA compliant. 我说开箱即用，它不符合HIPAA标准。

The way to find out would be to create a new Web Application, with just a default.aspx and maybe a login page. 找出的方法是创建一个新的Web应用程序，只需一个default.aspx，也许还有一个登录页面。 Then click the "ASP.NET Configuration" tool in the Solution Explorer toolbar to launch the configuration application (you can also do this from IIS if your site is hosted there). 然后单击解决方案资源管理器工具栏中的“ASP.NET配置”工具以启动配置应用程序（如果您的站点在那里托管，也可以从IIS执行此操作）。 Set up the defaults, choosing to use the AspNetSqlProvider for all features. 设置默认值，选择将AspNetSqlProvider用于所有功能。

This will create an ASPNETDB.MDF in your App_Data folder. 这将在App_Data文件夹中创建ASPNETDB.MDF。 Right-click it and choose "Open". 右键单击它并选择“打开”。 This will open it in Server Explorer, where you can look at all the tables that were created. 这将在Server Explorer中打开它，您可以在其中查看所有已创建的表。

You'll find that the password is stored hashed in the aspnet_Membership table, instead of as plain text. 您会发现密码存储在aspnet_Membership表中，而不是纯文本。 That's a good thing. 这是好事。 However, the email address is also stored in the clear. 但是，电子邮件地址也以明文形式存储。 If I remember my HIPAA training from four years ago, that's PII, and should at least pretend to be special. 如果我记得四年前的HIPAA培训，那就是PII，至少应该假装特别。 As it is, anyone with access to the database could find the email address of any member. 实际上，任何有权访问数据库的人都可以找到任何成员的电子邮件地址。

Edit based on update: 根据更新进行编辑：

If you're only talking about using them for authentication and authorization, I'd say you're ok. 如果您只是在谈论使用它们进行身份验证和授权，我会说您没问题。 You will need to ignore the email address. 您需要忽略该电子邮件地址。