When Authorization Is Not A Technical Problem

Wednesday, September 1, 2004
Designing an authentication and authorization scheme for a non-trivial web application is, in most cases, non-trivial. You need to minimize risks and always err on a safe side, while giving customers usable software. .NET provides useful mechanisms to implement a security design, including impersonation, delegation, role-based authorization, and a choice of authentication options. The technical part is sometimes the easy part.

Designing an authentication and authorization scheme for software in the healthcare market means sitting down with people and understanding their interpretations about the sticky pit of legal and regulatory goo they live in. Everyone has a different opinion about the U.S. Health Insurance Portability and Accountability Act of 1996 (HIPPA). One of the objectives of HIPPA was to guarantee the security and privacy of health information. The effectiveness of HIPPA on the privacy of a health record is debatable, but is has certainly been a boon to consultants and companies offering to bring a healthcare organization into compliance. Some places want software to audit every user move, others just want to disable USB ports so nobody walks out of the place with patient records on a jump drive.

I’m all for privacy, but I do find it frustrating from a professional angle when trying to sort out what people want and what the ‘right thing’ is. It’s also sadly amusing to watch to what happens when legislation and regulatory agencies collide.

For example, the Occupational Safety and Health Administration (OSHA) requires employers to keep a list of injury and illness reports with employee names, and to make the list available to employers, former employers, and employee representatives (like the AFL-CIO, a labor organization covering many industries). HIPPA leans towards hiding names, OSHA wants names on the logs. So what do you do? One solution is to ask for a clarification from the Director of the Directorate of Evaluation and Analysis at OSHA (via hippablog). Titles like these make me wonder who the libertarian candidate is this year…


Comments
Jeremy Brayton Wednesday, September 1, 2004
I feel your pain. I deal with the insurance industry. I consider us basically a reseller of insurance though I think the technical term is an insurance agency. We use a CRM app called SalesLogix which I can tweak in the form of customizations. The customizations I've made for insurance have lax standards because there are no standards in the insurance industry. What one company calls one thing, another calls something differently. The only thing the same between companies is personal information so I have a fun time trying to make systems to make my co-worker's jobs easier.
<br>
<br>What's funny is these insurance carriers use hand-written forms for enrollment. Every person that is enrolled is most likely entered into an electronic database so wouldn't it make more sense to have an electronic form of some kind? Not to these people. I guess they're still living in 1960 where the PC is the size of a house and you absolutely must write everything out. No wonder they charge outrageous prices for their crap, because they're spending so much wasted money on useless technology. It's rather pathetic.
<br>
<br>I think both industries could use an industrial revolution but one that takes them into the right direction. Medical records are trying to find that &quot;middle ground&quot; where you don't keep too much information, but just the right information gets to the right person. I think it'll fluctuate until it finds that happy medium. The insurance industry will probably never come close or even attempt standardizations.
Comments are now closed.
by K. Scott Allen K.Scott Allen
My Pluralsight Courses
The Podcast!