tags:

views:

38

answers:

1
+2  Q: 

Maintaining HIPAA Compliance Using Views in MySQL

The Problem

We have a large web application that stores and displays sensitive HIPAA-related data. We're currently researching ways to improve HIPAA compliance and reduce the risk of having a violation.

Currently, there are several features and reports that do not correctly restrict client information based on the permissions of the person who's logged in (e.g. the client search capability and certain legacy reports).

Possible Solutions

Take care of the problem from a programatic perspective

We could always just rewrite the sections of the code that are causing the non-compliance. The trouble is, this approach is highly error prone given the scale of the application - stuff could get missed.

Altering the Database to Restrict the data that gets returned

We could alter the MySQL database structure to reflect the necessary permission restrictions needed in the application. That way, no one can see data they shouldn't because the database won't return data they shouldn't see.

My Question

The application itself has nearly 300 tables, most of which store some sort of sensitive data. Is it possible (and feasible) to use MySQL views to restrict data access?

If so, what's the best approach?

+1  A: 

You can utilize a view to restrict or present any data you wish simply by tweaking the query utilized in the view.

You will need to rename the original table, to something like "original table", then name your view the name of the original table.

Your program will not know or care that it is now accessing a view rather than a table. It will continue to pull data as before. YYou can also include blank or default values for fields you do not wish to return actual values for. As an example (if you have a field "DOB" and you no longer wish to return the birth date you can simply write '01-01-2001' as DOB).

You can use the examples from MYSQL's website on how to create a view.

CREATE TABLE t (qty INT, price INT);
mysql> INSERT INTO t VALUES(3, 50);
mysql> CREATE VIEW v AS SELECT qty, price, qty*price AS value FROM t;
mysql> SELECT * FROM v;

http://dev.mysql.com/doc/refman/5.0/en/create-view.html

Michael Eakins  2010-09-29 16:27:04

related questions

Remove Quotes and Commas from a String in MySQL
What's the best way of converting a mysql database to a sqlite one?
How do you manage databases in development, test, and production?
Multiple foreign keys?
Add 1 to a field (MySQL)
Issues using MS Access as a front-end to a MySQL database back-end?
Bigger than a char but smaller than a blob
How do I retrieve my MySQL username and password?
Long-time LAMP Developer moving to VB.NET
How do I Concatenate entire result sets in MySQL?
Full complete MySQL database replication? Ideas? What do people do?
SQL: Distribution of table in time
SQLite vs MySQL
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Multiple Updates in MySQL
MySQL/Apache Error in PHP MySQL query
What all do I need to escape when sending a (My)SQL query?
Auto Generate Database Diagram MySQL
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
Python and MySQL
SQL Server 2005 implementation of MySQL REPLACE INTO?
How to export data from SQL Server 2005 to MySQL
Throw Error In MySQL Trigger
Binary Data in MySQL