And on that note, you see a lot less (though not zero) breaches of healthcare data and most HIPAA violations are due to analog errors rather than digital exposure.

The government does a good job in this area forgiving innocuous violations, as long as all parties disclose it immediately and follow procedure.

I just spent som time going through this.

The relevant rfc and drafts perhaps? https://tools.ietf.org/wg/oauth/

Also checkout OWASP https://www.owasp.org/

If your implementing openid connect, use a certified lib https://openid.net/developers/certified/

Look into authorization as well as authentication.

Dex by coreos, Open Policy Agent, Kubernetes docs & code are all good examples, lots of frameworks have docs / code.

Hi. I've worked in medical software repeatedly. I totally want to deal with HIPAA. It's a good idea for clients (the people who actually matter) and it's not nearly as difficult a prospect to work with as people say. The set of demands it makes upon you are small and reasonably constrained and are nearly all process-based rather than technical. Where it is technical, plenty of folks will sign a BAA for you to take big chunks of the technical stack off your hands, too.

"But HIPAA" has never, in my experience, been employed except by people who find the idea of doing the right thing inconvenient or inconveniently expensive. (It is virtually never that hard and its benefits are clear.)

There are reasons for not modernizing tech stacks in the medical space. HIPAA is, in every case I've ever observed, not a meaningful one.

> It seems pretty clear to me that anyone suggesting that software bugs in applications that have no risk of causing physical harm should have criminal liability has no idea what they are talking about and what damage such a law would cause.

So you're fine with financial losses, loss of privacy, and the material harm that goes along with both? Disregarding the impact that data breaches imply is just naive.

> Case in point look at the quality of medical software today. Hospitals still use windows xp and other completely insecure and outdated software. Because absolutely nobody wants to deal with the nightmare that is HIPAA.

I wrote medical device software for more than a decade. HIPAA has nothing to do with it. Many systems run on outdated platforms because the cost of replacing them is deemed to outweigh the benefits. That determination is debatable on a case by case basis, but in practice we see a hell of a lot more damage being caused by breaches of companies running on modern technology than we do e.g. hospital systems or LIMS.

HIPAA only carries criminal penalties when someone knowingly discloses covered information - not a software bug. Until the bug is identified at least. For the most part HIPAA is enforced with civil penalties.

And your "nightmare" scenario of (civil) liability flowing from programming bugs already exists in the investment world and it hasn't come apart at the seams. Google Axa Rosenberg. A coding error in their trading algorithm went undiscovered for two years. Negligent for sure, but not why the SEC went after them. The problem was they didn't promptly disclose the error to investors and they didn't promptly correct it. Algorithmic trading firms should have mechanisms to catch errors, correct errors, and disclose those errors to investors. And after seeing Axa Rosenberg's $250 million fine and Rosenberg's lifetime ban from the industry guess what they all implemented?