Developers and HIPAA

Developers have full access to production phi at all times.

We are a small company but have our software in over 100 large hospitals. Our developers have full read-write access to all data in the production environment from the day they start (all environments actually). We also have un-encrypted / un-scrambled data in our stage and our certification environments.


Each developer has 2 domain accounts, both have full read-write access to all data, an administrative account allows developers to perform production updates.


Least privilege is non-existent. Everyone has everything at all times.


This to me seems - bad - ... Thoughts and options? Is there an organization I could get clarity from?



Tags (If you have a multi-word tag, add a hyphen (-) between the words.)


2 votes
2 up votes
0 down votes
Question No. 122