Problem
We have a large web application that stores and displays sensitive data related to HIPAA. We are currently exploring ways to improve HIPAA compliance and reduce the risk of disruption.
Currently, there are several functions and reports that do not correctly limit information about the client based on the permissions of the person who registered (for example, the ability to search for clients and some outdated reports).
Possible solutions
Take care of the problem programmatically
We can always simply rewrite sections of code that cause non-compliance. The problem is that this approach is highly error prone, given the scale of the application — material may be skipped.
Modifying the database to limit returned data
We could change the structure of the MySQL database to display the necessary permissions needed in the application. Thus, no one can see data that they should not, because the database will not return data that they should not see.
My question
There are about 300 tables in the application itself, most of which store some kind of confidential data. Is it possible (and possible) to use MySQL views to restrict access to data?
If so, what is the best approach?
source
share