euan.garden_at_gmail.com wrote:
>> And I posted the link to Microsoft's own docs where they say that this
>> isn't true. So who's correct? You or Microsoft?
>
> Hmmm, you posted 2 links, one was a write up by an MVP(from 6 years
> ago) which documented that C2 in SQL Server 2000 would tell you who
> made a change(update) but not what the change was. The second link you
> sent was the to C2 summary, in that doc it lists the following;
>
> "...End User Activity (for example, all SQL commands, logins, and
> logouts).."
>
> Which I think is the bucket that selects are going to come under, I
> agree we could have made this clearer but the doc was not written with
> HIPAAs more exacting/different requirements in mind. Given that C2 has
> been superceded as a std and SQL Server is currently undergoing common
> criteria certification I don't think there is much chance of getting
> the page updated.
>
> Now trace was not that well documented in SQL 6.5/7/2000 so I am going
> to reference SQL2005 docs, most of what I reference also applies on
> older versions. Here is the list of events that can be audited by
> trace in 2005;
>
> http://msdn2.microsoft.com/en-us/library/ms175481.aspx
>
> To save time, here is the category of events that include all sql
> statements, hence would include select statements;
>
> http://msdn2.microsoft.com/en-us/library/ms177488.aspx
>
>> Perhaps the problem here is that you don't understand what HIPAA means
>> with respect to auditing SELECT statements. It isn't who issued it. That
>> is not the issue. It is which records, with which specific values, were
>> returned to which users?
>
> Ah ok now that makes sense, as I said I am no HIPAA expert so I was
> not aware of that requirement.
>
>> If you believe otherwise then please provide a link to the doc that
>> demonstrates that this capability exists in any database product other
>> than Oracle.
>
> I'm not aware of it existing in SQL Server at this time, I'm not going
> to comment on other DBs as I don't know them.
>
> However I have another question about HIPAA at this point, I thought
> that HIPAA was an end to end requirement, which means while Oracle
> makes this possible on the back end through built in features(I
> presume this is done through versioning somehow? How long is the audit
> trail kept btw) if the app tier does something thats not auditable
> then from a compliance perspective its a bust?
>
> -Euan
That is the statement ... but not what was returned. The statement,
itself, in the context of HIPAA is meaningless because the data changes.
A month later, during an audit, it is impossible to tell if 0, 1, or
1000 records were returned and which ones.
It may make a marketer happy to claim it as auditing but it does not
comply with the law being discussed.
--
Daniel A. Morgan
University of Washington
damorgan_at_x.washington.edu (replace x with u to respond)
Puget Sound Oracle Users Group
www.psoug.org
Received on Wed Aug 22 2007 - 11:06:17 CDT
