Rich Freeman on 26 Oct 2014 11:49:20 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Spark Core (corrected)

On Sun, Oct 26, 2014 at 2:27 PM, Keith C. Perry
<> wrote:
> Good point there Rich.  I would add that the health IT / medical IT space is
> more conscious as well.  One of things I had to do as result of HIPAA
> regulations was to write security statements.
> ...
> I can't say I've ever been asked to verify.

That's the rub.  Speaking as somebody who works in the health IT
industry I've seen lots of statements on RFPs asking companies to
certify that their software encrypts data/etc, but rarely any real
follow-up/verification.  If they say it is encrypted, then it must be.
Maybe somebody will look in the database and note that a field isn't
human-readable, but they won't ask questions like "if I can't read it,
how can the software, and what are the implications of how it does it"
(hint, if you didn't have to install an HSM, that encrypted data is
only as secure as the drive the key is sitting on).  Companies love to
have documents that say things like "your digital signature is not
repudiable" without realizing what that actually means (hint, saying
it or agreeing to it doesn't make it so).

> I call that "the buck stop there" syndrome  :)

Getting back to your earlier email, I think this is a BIG driver for

You can say with a straight face that you don't hire illegal aliens or
commit fraud, while getting many of the cost benefits of doing those
sorts of things because you hand off your work without looking too
closely at those you hand it off to.  Of course, you do insist that
they sign a contract saying that they're completely above-board.

Outsourcing overseas often is more of the same, except that even the
laws are often more lax letting you get away with still more...

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --