Electronic signatures

[mark r]

When using ACCESS databases, tables and forms, Is there a way to sort of "lock"
a tables' particular record from being changed, that is prevent someone from
changing a field in that record, once the "electronicSignatureFIELD" is
populated.

Secondly, is there a way to populate that "electronicSignatureFIELD" with a
HIPPAA legally acceptable form of an electronic signature (educate me on the
options here: scanned actual signature? sound? morsecodeSymbol?).

Thirdly, my understanding is that each time the electronic signature is
applied, the user's identity has to be verified. Would you recommend some
code that opens a message box that prompt's for the user's password before
the electronic signature can populate the "electronicsignatureFIELD"?

LASTLY, is there reading material I can educate myself regarding all these
issues surrounding electronic signatures for records including coding issues,
signature options (symbols, sounds, images, pads).


Thanks

 

[Tom van Stiphout]

On Wed, 29 Apr 2009 17:54:01 -0700, mark r

In my opinion HIPAA sensitive information does not belong in an Access
database. The security requirements typically are such that a
server-based database engine like SQL Server is a much better choice.

-Tom.
Microsoft Access MVP

 

[mark r]

On Wed, 29 Apr 2009 17:54:01 -0700, mark r

In my opinion HIPAA sensitive information does not belong in an Access
database. The security requirements typically are such that a
server-based database engine like SQL Server is a much better choice.

-Tom.
Microsoft Access MVP

Tom,

If this is a single user laptop system that is going to generate en EMR, why
is a server based engine required?

 

[Tom van Stiphout]

On Wed, 29 Apr 2009 21:01:01 -0700, mark r

I don't know what an EMR is. What I do know is that HIPAA is all about
securing patients' information. Access (better: Jet) is not a secure
(enough) database.

-Tom.
Microsoft Access MVP

 

[AccessVandal via AccessMonster.com]

Tom's right.

What if you loose your lap top or what is your laptop got hack?

If the access database is just a sample for testing and not using real data,
it's fine.

You would want real data in SQL Server.

In my opinion HIPAA sensitive information does not belong in an Access
database. The security requirements typically are such that a

[quoted text clipped - 22 lines]
Tom,

If this is a single user laptop system that is going to generate en EMR, why
is a server based engine required?

 

[Arvin Meyer MVP]

On Wed, 29 Apr 2009 21:01:01 -0700, mark r

I don't know what an EMR is. What I do know is that HIPAA is all about
securing patients' information. Access (better: Jet) is not a secure
(enough) database.

Nor is a laptop a secure enough device. If, however, the entire folder where
Access was located on the laptop was strongly encrypted with a program like
TrueCrypt. It would answer both problems, since you can build a really
strong passphrase authentication that will only allow a specific user to
even know which file is there.

While Access itself is not secure enough, TrueCrypt more than evens the
playing field with any server database.

 

[mark r]

Nor is a laptop a secure enough device. If, however, the entire folder where
Access was located on the laptop was strongly encrypted with a program like
TrueCrypt. It would answer both problems, since you can build a really
strong passphrase authentication that will only allow a specific user to
even know which file is there.

While Access itself is not secure enough, TrueCrypt more than evens the
playing field with any server database.
--
Arvin Meyer, MCP, MVP
http://www.datastrat.com
http://www.mvps.org/access
http://www.accessmvp.com


Arvin, you are obviously the type of out of the box "can do" thinker I am looking to have answer my questions. Can you take a look at my questions so that I can actually get an answer to them. Then perhaps others with ingenuity and a "can do " attitude" can help educate me.

 

[mark r]

Tom,

If this is a single user laptop system that is going to generate en EMR, why
is a server based engine required?

With all do respect, please cease cluttering up my threadline with your
opinions.
I cannot learn from opinions. You are not answering my questions either.
You are merely setting up roadblocks to learning. Telling me that I should
be using an SQL server doesn't explain to me why an SQL server is
automatically unhackable (even corporate and government mainframes which
"weigh a ton", have been hacked and ripped off, so let's get past "secure",
you don't know my application) and it also precludes coming up with
solutions such as Arvin's solution. Please remain uninvited from my thread,
so that others more interested in teaching and solving can reply.

 

[mark r]

Tom's right.

What if you loose your lap top or what is your laptop got hack?

If the access database is just a sample for testing and not using real data,
it's fine.

You would want real data in SQL Server.

In my opinion HIPAA sensitive information does not belong in an Access
database. The security requirements typically are such that a

[quoted text clipped - 22 lines]

Thanks

Tom,

If this is a single user laptop system that is going to generate en EMR, why
is a server based engine required?

--
Please Rate the posting if helps you.




Are you saying that an SQL server dataset is automatically un hackable? Why wouldn't Arvin's solution to "security" usign Tru crypt settle that issue?

 

[Mike Painter]

I don't kno what HIPPO (sic) laywers have done lately to the beast but I
was involved in it at the start. What the GOVERNMENT said was clear,
concise, and simple. Reasonable efforts was the main focus.
It was teh public sector that blew it all out of proportion.

 

[Arvin Meyer MVP]

Thanks for your confidence, but I don't see any other questions off-hand. As
far as this one is concerned, the posters who suggested that Access is not
as secure as SQL-Server are absolutely correct, but the real problem with
security that you will have is not the program as much as it is having the
sensitive data on a laptop. TrueCrypt is an outstanding encryption program,
but it is only as good as the conscientiousness of the users. They need to
be always aware that the data needs to stay protected. TrueCrypt is also a
free solution:

http://www.truecrypt.org/

You should also secure the login so that if the drive is, say stolen and
removed from the laptop, the database will use the Windows Login to check
users and delete the key data stored if the user is not the laptop owner.
The Windows logon username can be achieved using:

http://www.mvps.org/access/api/api0008.htm

 

[mark r]

Thanks for your confidence, but I don't see any other questions off-hand. As
far as this one is concerned, the posters who suggested that Access is not
as secure as SQL-Server are absolutely correct, but the real problem with
security that you will have is not the program as much as it is having the
sensitive data on a laptop. TrueCrypt is an outstanding encryption program,
but it is only as good as the conscientiousness of the users. They need to
be always aware that the data needs to stay protected. TrueCrypt is also a
free solution:

http://www.truecrypt.org/

You should also secure the login so that if the drive is, say stolen and
removed from the laptop, the database will use the Windows Login to check
users and delete the key data stored if the user is not the laptop owner.
The Windows logon username can be achieved using:

http://www.mvps.org/access/api/api0008.htm
--
Arvin Meyer, MCP, MVP
http://www.datastrat.com
http://www.mvps.org/access
http://www.accessmvp.com


I am getting it now. First, let me retype the questions:

When using ACCESS databases, tables and forms, Is there a way to sort of
"lock"
a tables' particular record from being changed, that is prevent someone from
changing a field in that record, once the "electronicSignatureFIELD" is
populated.

Secondly, is there a way to populate that "electronicSignatureFIELD" with a
HIPPAA legally acceptable form of an electronic signature (educate me on the
options here: scanned actual signature? sound? morsecodeSymbol?).

Thirdly, my understanding is that each time the electronic signature is
applied, the user's identity has to be verified. Would you recommend some
code that opens a message box that prompt's for the user's password before
the electronic signature can populate the "electronicsignatureFIELD"?

LASTLY, is there reading material I can educate myself regarding all these
issues surrounding electronic signatures for records including coding issues,
signature options (symbols, sounds, images, pads).


And as a follow on to your last post, what is this issue about SQL server vs
Access....I am tasting an argument that perhaps if a hcaker is trying to read
a database through an on line link, that SQL is internally encrypted and more
difficult (but not impossible to do) than Access which is maybe not encrypted
internally? Or if someone steals the laptop, they can use a word editor to
read an ACCESS Table whereas you can't do that with an SQL server (I think
NOT !! )
I think you would agree that the kinds of people stealing laptops to read
social security numbers to rip off bank accounts are not sophisticated
computer hackers looking to open the laptop and find out what type of
database is stored on it and then hack into the laptop, try to figure out
which tables and which fields contain a social security number all for a few
hundred names, etc.

 

[mark r]

Thanks for your confidence, but I don't see any other questions off-hand. As
far as this one is concerned, the posters who suggested that Access is not
as secure as SQL-Server are absolutely correct, but the real problem with
security that you will have is not the program as much as it is having the
sensitive data on a laptop. TrueCrypt is an outstanding encryption program,
but it is only as good as the conscientiousness of the users. They need to
be always aware that the data needs to stay protected. TrueCrypt is also a
free solution:

http://www.truecrypt.org/

You should also secure the login so that if the drive is, say stolen and
removed from the laptop, the database will use the Windows Login to check
users and delete the key data stored if the user is not the laptop owner.
The Windows logon username can be achieved using:

http://www.mvps.org/access/api/api0008.htm
--
Arvin Meyer, MCP, MVP
http://www.datastrat.com
http://www.mvps.org/access
http://www.accessmvp.com


I am starting to get it. Let me first retype the original questions:

When using ACCESS databases, tables and forms, Is there a way to sort of
"lock"
a tables' particular record from being changed, that is prevent someone from
changing a field in that record, once the "electronicSignatureFIELD" is
populated.

Secondly, is there a way to populate that "electronicSignatureFIELD" with a
HIPPAA legally acceptable form of an electronic signature (educate me on the
options here: scanned actual signature? sound? morsecodeSymbol?).

Thirdly, my understanding is that each time the electronic signature is
applied, the user's identity has to be verified. Would you recommend some
code that opens a message box that prompt's for the user's password before
the electronic signature can populate the "electronicsignatureFIELD"?

LASTLY, is there reading material I can educate myself regarding all these
issues surrounding electronic signatures for records including coding issues,
signature options (symbols, sounds, images, pads).

As a follow on to your last post, I am getting a flavor that SQL perhaps
internally encrypts whereas ACCESS doesn’t. Perhaps that is an issue if a
databse is online. I think iyou would agree that people doing identity theft
are not going around stealing laptops to search them and discover what type
of HIDDEN FILES software DB, if any, are on it storing a few hundred records,
what tables might be holding those numbers, and then hack into them to
harvest them. What comments regarding that would you have?

Regarding True crypt, WIKI posted this caveat, what says you?:
The TrueCrypt Collective License does not meet the Open Source Definition,
and thus has not been approved by the Open Source Initiative. It is
considered "non-free" by all the major GNU/Linux distributions (Debian[12],
Ubuntu[13], Fedora[14], openSUSE[15], Gentoo[16]). The Fedora project
explains[17] that
The TrueCrypt software is under an extremely poor license, which is not only
non-free, but actively dangerous to end users who agree to it, opening them
to possible legal action even if they abide by all of the licensing terms.
Fedora made extensive efforts to try to work with the TrueCrypt upstream to
fix these mistakes in their license, but was unsuccessful. Fedora Suggests:
Avoid this software entirely.

 

[mark r]

I don't kno what HIPPO (sic) laywers have done lately to the beast but I
was involved in it at the start. What the GOVERNMENT said was clear,
concise, and simple. Reasonable efforts was the main focus.
It was teh public sector that blew it all out of proportion.


Amen and thank you for that comment. It does all seem so intrusive. Keeping George Orwell in mind, it seems large SYSTEMS FIRMS are attempting to push out the little guy like 5 and Dime shops vs KMART and WALMART, via an electronic infrastructure that in the end may cost thousands fold more to maintain, than storing a record that documents that I was prescribed cough medicine on March 2nd. And your comment is to my point, reasonable efforts.

So again, do you have any comments on my original questions which I am
trying to learn about:

When using ACCESS databases, tables and forms, Is there a way to sort of
"lock"
a tables' particular record from being changed, that is prevent someone from
changing a field in that record, once the "electronicSignatureFIELD" is
populated.

Secondly, is there a way to populate that "electronicSignatureFIELD" with a
HIPPAA legally acceptable form of an electronic signature (educate me on the
options here: scanned actual signature? sound? morsecodeSymbol?).

Thirdly, my understanding is that each time the electronic signature is
applied, the user's identity has to be verified. Would you recommend some
code that opens a message box that prompt's for the user's password before
the electronic signature can populate the "electronicsignatureFIELD"?

LASTLY, is there reading material I can educate myself regarding all these
issues surrounding electronic signatures for records including coding issues,
signature options (symbols, sounds, images, pads).

 

[Arvin Meyer MVP]

Answers in line

When using ACCESS databases, tables and forms, Is there a way to sort of
"lock"
a tables' particular record from being changed, that is prevent someone
from
changing a field in that record, once the "electronicSignatureFIELD" is
populated.

There is a User Level Security in Access which can be set to lock the tables
entirely and give no permissions. In a front-end (forms, etc) you can then
access or lock the record using something called (WITHOWNERACCESSOPTION) A
form would run code to keep the user from editing an existing record. This
is only available with MDBs, not with the new Access 2007 format.

Secondly, is there a way to populate that "electronicSignatureFIELD" with
a
HIPPAA legally acceptable form of an electronic signature (educate me on
the
options here: scanned actual signature? sound? morsecodeSymbol?).

I's not sure what would be HIPAA acceptable, but you can use an actual
signature scan stored in an OLE field.

Thirdly, my understanding is that each time the electronic signature is
applied, the user's identity has to be verified. Would you recommend some
code that opens a message box that prompt's for the user's password before
the electronic signature can populate the "electronicsignatureFIELD"?

The's nothing in Access that would do this. You can write something though
which uses Windows authentication to verify if the user who logged in is
indeed entitled to open the form. And you can also use User Level Security
to access the form.

LASTLY, is there reading material I can educate myself regarding all these
issues surrounding electronic signatures for records including coding
issues,
signature options (symbols, sounds, images, pads).

Here's some links on Access security:

Security FAQ
http://support.microsoft.com/download/support/mslfiles/SECFAQ.EXE

Lynn Trapp's summarization:
http://www.ltcomputerdesigns.com/The10Steps.htm

KB articles:
http://support.microsoft.com/default.aspx?scid=KB;en-us;q165009
http://download.microsoft.com/download/access97/faq1/1/win98/en-us/secfaq.exe
http://support.microsoft.com/default.aspx?kbid=325261

Joan Wild's articles:
http://www.jmwild.com/security02.htm
http://www.jmwild.com/security97.htm
http://www.jmwild.com/SecureNoLogin.htm
http://www.jmwild.com/Unsecure.htm

And as a follow on to your last post, what is this issue about SQL server
vs
Access....I am tasting an argument that perhaps if a hcaker is trying to
read
a database through an on line link, that SQL is internally encrypted and
more
difficult (but not impossible to do) than Access which is maybe not
encrypted
internally? Or if someone steals the laptop, they can use a word editor to
read an ACCESS Table whereas you can't do that with an SQL server (I think
NOT !! )
I think you would agree that the kinds of people stealing laptops to read
social security numbers to rip off bank accounts are not sophisticated
computer hackers looking to open the laptop and find out what type of
database is stored on it and then hack into the laptop, try to figure out
which tables and which fields contain a social security number all for a
few
hundred names, etc.

Most laptops are stolen for sale as a laptop, not for data. Still to be safe
use an encrypted volume. TrueCrypt will be more secure than SQL-Server at
protecting anything on the hard drive. 256 bit AES with a strong password is
more than safe for 99.999% of the most sophisticated hackers there are.

 

[Arvin Meyer MVP]

Regarding True crypt, WIKI posted this caveat, what says you?:
The TrueCrypt Collective License does not meet the Open Source Definition,
and thus has not been approved by the Open Source Initiative. It is
considered "non-free" by all the major GNU/Linux distributions
(Debian[12],
Ubuntu[13], Fedora[14], openSUSE[15], Gentoo[16]). The Fedora project
explains[17] that
The TrueCrypt software is under an extremely poor license, which is not
only
non-free, but actively dangerous to end users who agree to it, opening
them
to possible legal action even if they abide by all of the licensing terms.
Fedora made extensive efforts to try to work with the TrueCrypt upstream
to
fix these mistakes in their license, but was unsuccessful. Fedora
Suggests:
Avoid this software entirely.

First of all, all those distributions are Linux. You are working in Windows.
The TrueCrypt website calls itself free open-source software. Now I'd
believe an author's site before I would some wiki waki. Your mileage may
vary.

TrueCrypt is one of the better free encryption apps, but there are others.
Pick one you feel comfortable with.