Security concerns...

**Captain Paralytic** · Sep 22 '08, 10:45 AM

Re: Security concerns...

On 22 Sep, 08:23, transpar3nt <caspergho...@g mail.comwrote:

Hello all, first time poster, long time reader. I have been studying
PHP and web development for a while now but have never taken on a paid
project with it until now. I have been asked by a dermatology clinic
to redesign their website with a portion that allows the patient to
create an account with the site and enter their personal information
so it is ready for the doctors to access when the patient arrives for
a check up.
>
My concern is that this requires some pretty sensitive information
being submitted and stored in our database. We plan to use SSL for
that whole segment of the site and MD5'd passwords and salted
encryption for the data, but I was wondering if you guys had any
suggestions on how I may take security to the next level with the
resources at hand (PHP/MySQL back-end, Network Solutions is the host).

It depends what you consider to be the next level. I tend to build
this sort of stuff within a secure CMS.

Speaking of NS, the doctors asked that I cut cost as best I can and NS
has a free shared SSL cert. available that would just use a different
URL (under their fixed IP domain).. would that be a viable low-cost
solution or is there a security concern with a shared certificate?
>
My last question is about PDF. When the customer enters their patient
history, etc. into the site the doctors would like it to generate a
PDF file with all their info so all the patient has to do is print it
out and bring it in all nice and pretty. I know full well how to pull
that off with ColdFusion, but I was hoping there would be an easy
solution with PHP to do the same thing. All I can find so far is very
in-depth and complex work-arounds.

FPDF makes this easy. Couple this with HTML2PDF and it gets even
easier.

**Sjoerd** · Sep 22 '08, 10:45 AM

Re: Security concerns...

transpar3nt wrote:

My last question is about PDF. When the customer enters their patient
history, etc. into the site the doctors would like it to generate a PDF
file with all their info so all the patient has to do is print it out
and bring it in all nice and pretty.

This can be done with fpdf, which can produce PDFs. You typically program
this like: select this font, but this text there, etc.

**Jerry Stuckle** · Sep 22 '08, 02:15 PM

Re: Security concerns...

transpar3nt wrote:

Hello all, first time poster, long time reader. I have been studying
PHP and web development for a while now but have never taken on a paid
project with it until now. I have been asked by a dermatology clinic
to redesign their website with a portion that allows the patient to
create an account with the site and enter their personal information
so it is ready for the doctors to access when the patient arrives for
a check up.
>
My concern is that this requires some pretty sensitive information
being submitted and stored in our database. We plan to use SSL for
that whole segment of the site and MD5'd passwords and salted
encryption for the data, but I was wondering if you guys had any
suggestions on how I may take security to the next level with the
resources at hand (PHP/MySQL back-end, Network Solutions is the host).
Speaking of NS, the doctors asked that I cut cost as best I can and NS
has a free shared SSL cert. available that would just use a different
URL (under their fixed IP domain).. would that be a viable low-cost
solution or is there a security concern with a shared certificate?
>
My last question is about PDF. When the customer enters their patient
history, etc. into the site the doctors would like it to generate a
PDF file with all their info so all the patient has to do is print it
out and bring it in all nice and pretty. I know full well how to pull
that off with ColdFusion, but I was hoping there would be an easy
solution with PHP to do the same thing. All I can find so far is very
in-depth and complex work-arounds.
>
Thanks for any help that you may provide!!!
>
- Keith
casperghosty at gmail , com
>

Keith,

If you're in the U.S., you are correct to be worried about security.
Before starting on anything dealing with the medical profession, you
need to research HIPAA regulations and insure you follow them.

And BTW - I would never collect any of this information on anything but
an in-house host. You need physical security of the host, also.

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attgl obal.net
=============== ===

**r0g** · Sep 22 '08, 02:55 PM

Re: Security concerns...

transpar3nt wrote:

Hello all, first time poster, long time reader. I have been studying
PHP and web development for a while now but have never taken on a paid
project with it until now. I have been asked by a dermatology clinic
to redesign their website with a portion that allows the patient to
create an account with the site and enter their personal information
so it is ready for the doctors to access when the patient arrives for
a check up.
>
My concern is that this requires some pretty sensitive information
being submitted and stored in our database. We plan to use SSL for
that whole segment of the site and MD5'd passwords and salted
encryption for the data, but I was wondering if you guys had any
suggestions on how I may take security to the next level with the
resources at hand (PHP/MySQL back-end, Network Solutions is the host).
Speaking of NS, the doctors asked that I cut cost as best I can and NS
has a free shared SSL cert. available that would just use a different
URL (under their fixed IP domain).. would that be a viable low-cost
solution or is there a security concern with a shared certificate?
>
My last question is about PDF. When the customer enters their patient
history, etc. into the site the doctors would like it to generate a
PDF file with all their info so all the patient has to do is print it
out and bring it in all nice and pretty. I know full well how to pull
that off with ColdFusion, but I was hoping there would be an easy
solution with PHP to do the same thing. All I can find so far is very
in-depth and complex work-arounds.
>
Thanks for any help that you may provide!!!
>
- Keith
casperghosty at gmail , com

Hi Keith,

I'd recommend you separate the user side and the admin side as much as
possible. Create separate DB users for your client facing pages and your
admin pages and lock down the permissions, maybe make the sensitive data
table write only to the client facing user.

Also you can have the admin pages accessed from a different domain name
with HHTP Auth and your own authorization scheme, maybe tied to IP if
you want to get really serious. If it's not too inconvenient for your
client you could also put all you admin pages outside the webroot and
have them access them via SSH.

Naturally make sure to protect your scripts from XSS and SQL injection.

If you want to demonstrate due diligence it might be a good idea to
write a test script that tries to access critical files / folders /
scripts, maybe including a few of the more common tricks and run it
every time you make mods to the site just to make sure you haven't
broken any security / opened any holes.

Lastly if it's very critical stuff consider not keeping it on the server
at all. You could come upwith a schem where you have their details on
file and they just use a username/patient number on the website.
Alternatively you can encrypt sensitive data with GPG and e-mail it to
the surgery. With the right thunderbird plugin the encryption would be
transparent to them.

Hope some of this helps :-)

Roger.

**transpar3nt** · Sep 22 '08, 05:55 PM

Re: Security concerns...

On Sep 22, 8:53 am, r0g <aioe....@techn icalbloke.comwr ote:

Thank you for you replies, I'll admit that I am a bit over my head
(not that I can't perform most of these things but the resources are
limited, i.e. the server is not in-house and the budget would not
allow for that.) There's a company called MedFusion that deals with a
lot of doctors office web sites that will provide all of the security
necessary with all regulations considered, but the office I'm dealing
with doesn't have the service in their budget.

I'll see what I can do from here, especially with FPDF. Any other
advice is always welcome!

- Keith

**r0g** · Sep 22 '08, 06:05 PM

Re: Security concerns...

transpar3nt wrote:

On Sep 22, 8:53 am, r0g <aioe....@techn icalbloke.comwr ote:
>
Thank you for you replies, I'll admit that I am a bit over my head
(not that I can't perform most of these things but the resources are
limited, i.e. the server is not in-house and the budget would not
allow for that.) There's a company called MedFusion that deals with a
lot of doctors office web sites that will provide all of the security
necessary with all regulations considered, but the office I'm dealing
with doesn't have the service in their budget.
>
I'll see what I can do from here, especially with FPDF. Any other
advice is always welcome!
>
- Keith

Fair enough, it'd recommend they spring for at least a VPS hosting
package though, the flexibility is very useful and oldschool shared
servers just aren't secure enough for potentially sensitive data
(although I'd admit neither are badly configured VPS!)

Good luck with it all,

Roger.

**Jerry Stuckle** · Sep 22 '08, 06:45 PM

Re: Security concerns...

r0g wrote:

transpar3nt wrote:

>On Sep 22, 8:53 am, r0g <aioe....@techn icalbloke.comwr ote:
>>
>Thank you for you replies, I'll admit that I am a bit over my head
>(not that I can't perform most of these things but the resources are
>limited, i.e. the server is not in-house and the budget would not
>allow for that.) There's a company called MedFusion that deals with a
>lot of doctors office web sites that will provide all of the security
>necessary with all regulations considered, but the office I'm dealing
>with doesn't have the service in their budget.
>>
>I'll see what I can do from here, especially with FPDF. Any other
>advice is always welcome!
>>
> - Keith

>
Fair enough, it'd recommend they spring for at least a VPS hosting
package though, the flexibility is very useful and oldschool shared
servers just aren't secure enough for potentially sensitive data
(although I'd admit neither are badly configured VPS!)
>
Good luck with it all,
>
Roger.
>

Neither is a correctly configured VPS. The hosting company still has
full access to all the scripts and data on the server.

Physical security is one of the HIPAA requirements.

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attgl obal.net
=============== ===

**r0g** · Sep 22 '08, 06:55 PM

Re: Security concerns...

Jerry Stuckle wrote:

r0g wrote:

>transpar3nt wrote:

>>On Sep 22, 8:53 am, r0g <aioe....@techn icalbloke.comwr ote:
>>>
>>Thank you for you replies, I'll admit that I am a bit over my head
>>(not that I can't perform most of these things but the resources are
>>limited, i.e. the server is not in-house and the budget would not
>>allow for that.) There's a company called MedFusion that deals with a
>>lot of doctors office web sites that will provide all of the security
>>necessary with all regulations considered, but the office I'm dealing
>>with doesn't have the service in their budget.
>>>
>>I'll see what I can do from here, especially with FPDF. Any other
>>advice is always welcome!
>>>
>> - Keith

>>
>Fair enough, it'd recommend they spring for at least a VPS hosting
>package though, the flexibility is very useful and oldschool shared
>servers just aren't secure enough for potentially sensitive data
>(although I'd admit neither are badly configured VPS!)
>>
>Good luck with it all,
>>
>Roger.
>>

>
Neither is a correctly configured VPS. The hosting company still has
full access to all the scripts and data on the server.
>
Physical security is one of the HIPAA requirements.
>

Interesting, I haven't read the HIPAA requirements but I don't see how a
VPS with encrypted filesystem is any different to a dedicated server in
this regard, they're both (hopefully) in a secure datacenter. Still it
wouldn't been the first time a government has mandated kneejerk IT
policy without regard to the subtleties.

Here in the UK we've got a right mess with different bits of the NHS
scrambling around and coming up with their own implementation of the
directive to encrypt all data that leaves the premises. Of course the
government will happily issue directives like this and then not tell
anyone what to use so hospital trusts are pissing away money on ironkeys
and (mutually exclusive) commercial encryption programs when they should
all really be using truecrypt, or at least the same thing as each other!

Roger.

**Jerry Stuckle** · Sep 22 '08, 07:15 PM

Re: Security concerns...

r0g wrote:

Jerry Stuckle wrote:

>r0g wrote:

>>transpar3nt wrote:
>>>On Sep 22, 8:53 am, r0g <aioe....@techn icalbloke.comwr ote:
>>>>
>>>Thank you for you replies, I'll admit that I am a bit over my head
>>>(not that I can't perform most of these things but the resources are
>>>limited, i.e. the server is not in-house and the budget would not
>>>allow for that.) There's a company called MedFusion that deals with a
>>>lot of doctors office web sites that will provide all of the security
>>>necessary with all regulations considered, but the office I'm dealing
>>>with doesn't have the service in their budget.
>>>>
>>>I'll see what I can do from here, especially with FPDF. Any other
>>>advice is always welcome!
>>>>
>>> - Keith
>>Fair enough, it'd recommend they spring for at least a VPS hosting
>>package though, the flexibility is very useful and oldschool shared
>>servers just aren't secure enough for potentially sensitive data
>>(although I'd admit neither are badly configured VPS!)
>>>
>>Good luck with it all,
>>>
>>Roger.
>>>

>Neither is a correctly configured VPS. The hosting company still has
>full access to all the scripts and data on the server.
>>
>Physical security is one of the HIPAA requirements.
>>

>
Interesting, I haven't read the HIPAA requirements but I don't see how a
VPS with encrypted filesystem is any different to a dedicated server in
this regard, they're both (hopefully) in a secure datacenter. Still it
wouldn't been the first time a government has mandated kneejerk IT
policy without regard to the subtleties.
>
Here in the UK we've got a right mess with different bits of the NHS
scrambling around and coming up with their own implementation of the
directive to encrypt all data that leaves the premises. Of course the
government will happily issue directives like this and then not tell
anyone what to use so hospital trusts are pissing away money on ironkeys
and (mutually exclusive) commercial encryption programs when they should
all really be using truecrypt, or at least the same thing as each other!
>
Roger.
>

Neither has physical security and generally do not meet HIPAA requirements.

The only possibility for a hosted server would be a public/private key
where the encrypted data is downloaded before decryption. Otherwise, it
means keeping the server in-house, where you can control the physical
security and access to it.

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attgl obal.net
=============== ===

Security concerns...

Security concerns...

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment