Developers and HIPAA

Developers have full access to production phi at all times.

We are a small company but have our software in over 100 large hospitals. Our developers have full read-write access to all data in the production environment from the day they start (all environments actually). We also have un-encrypted / un-scrambled data in our stage and our certification environments.

 

Each developer has 2 domain accounts, both have full read-write access to all data, an administrative account allows developers to perform production updates.

 

Least privilege is non-existent. Everyone has everything at all times.

 

This to me seems - bad - ... Thoughts and options? Is there an organization I could get clarity from?

 

Thanks,

Tags (If you have a multi-word tag, add a hyphen (-) between the words.)

Voting

1 vote
1 up votes
0 down votes
Question No. 122