[Baypiggies] HIPAA, Django and security?

Aahz aahz at pythoncraft.com
Fri Mar 13 15:37:03 CET 2009

On Thu, Mar 12, 2009, Glen Jarvis wrote:
> The customer wants to take this software in a more public arena. He has 
> to get HIPAA approval. The data is stored in a MySQL database and the 
> standard Django User Authentication model is used (out of the box with no 
> changes). Since security is a concern for the customer, I wanted to find 
> all information from HIPAA regarding the Django User  
> Authentication/Sessions security model. I expected to see documents that 
> they have approved this model in the past. But, I'm getting caught in all 
> types of minutia and can't seem to find information directly relating to 
> HIPAA's criteria for web security and Django User Authentication.

Based on my minimal past experience about looking into getting a web
application authorized for HIPAA use, I doubt you'll find anything
specific about Django (unless you ask on the Django mailing list about
people's experience with HIPAA).  HIPAA is more about specifying
end-point goals, which you then need to translate yourself (or hire a
HIPAA expert to do for you in the context of your application).

You may find it easier to look at PCI/DSS (the credit card security
standard) as a starting point; there are paid services that will certify
you for PCI/DSS based on a combination of network probing and survey
questions.  HIPAA is stricter, but this should get you moving in the
right direction; if you can't pass PCI/DSS, you certainly can't pass a
HIPAA audit.
Aahz (aahz at pythoncraft.com)           <*>         http://www.pythoncraft.com/

"All problems in computer science can be solved by another level of     
indirection."  --Butler Lampson

More information about the Baypiggies mailing list