- From: John Carrell <carrell.john@gmail.com>
- Date: Wed, 19 May 2010 20:35:26 +0000
- To: site-comments@w3.org
Hello. I'm new to web development though I've been experimenting with computer programming since I was young. I have some questions regarding security standards for a site I'm creating now. The site is for an eye doctor's practice. Most of it is just the usual information and pictures but we decided to add the functionality of an online medical history form.. Patients can go to the website and fill out their medical history for the office staff to retrieve. The patients don't have to "log in," they simply fill out the form and it's gone. They cannot access it to modify to it. The office staff can then retrieve the information, delete it and print it. The site is SSL secured and has a redirect to the HTTPS protocol. I'm wondering, as I'm sure there are legal ramifications for both the doctor and I to make sure that this data is secure (it does include the patient's SS #). In addition to the Secure Socket Layer what other security am I expected to enforce to keep this site up to the current standards? Are there guidelines for the administrative password to keep someone from being able to access that portion of the site. Is it necessary to encrypt the sensitive information when it's stored in the database? I've also heard about hackers being able to submit forms and trick the SQL query to return other information and do undesired things. How can I prevent this? I feel certain that someone has set a standard that we can stand by if a legal matter came up regarding the security of our site, not to mention having this would encourage our users to feel safe entering their data. Please direct me to the right place or answer these questions directly if you can as I'm a bit lost on where else to look. Thank you in advance for your help! -- John Carrell 1002 B W. Pine St. Missoula, MT, 59802 630 650 5157
Received on Wednesday, 19 May 2010 20:39:52 UTC