Re: Database/SSL Security from Joseph Becher on 2010-05-20 (site-comments@w3.org from May 2010)

From: Joseph Becher <jwbecher@gmail.com>
Date: Thu, 20 May 2010 01:00:27 -0400
To: John Carrell <carrell.john@gmail.com>
Cc: site-comments <site-comments@w3.org>
Message-ID: <AANLkTilGVBeWfMJbWmKvfX-EvfImkHsIYCWTXVRCNWp2@mail.gmail.com>

I don't think this is the best place to ask. When talking
about patient information there are many laws.
I recommend a lawyer experiences in this, but
http://www.hhs.gov/ocr/privacy/ is a good place to start if you are
operating in the USA.

- Joseph Becher



On Wed, May 19, 2010 at 4:35 PM, John Carrell <carrell.john@gmail.com>wrote:

> Hello. I'm new to web development though I've been experimenting with
> computer programming since I was young. I have some questions regarding
> security standards for a site I'm creating now. The site is for an eye
> doctor's practice. Most of it is just the usual information and pictures but
> we decided to add the functionality of an online medical history form..
> Patients can go to the website and fill out their medical history for the
> office staff to retrieve. The patients don't have to "log in," they simply
> fill out the form and it's gone. They cannot access it to modify to it. The
> office staff can then retrieve the information, delete it and print it. The
> site is SSL secured and has a redirect to the HTTPS protocol. I'm wondering,
> as I'm sure there are legal ramifications for both the doctor and I to make
> sure that this data is secure (it does include the patient's SS #). In
> addition to the Secure Socket Layer what other security am I expected to
> enforce to keep this site up to the current standards? Are there guidelines
> for the administrative password to keep someone from being able to access
> that portion of the site. Is it necessary to encrypt the sensitive
> information when it's stored in the database? I've also heard about hackers
> being able to submit forms and trick the SQL query to return other
> information and do undesired things. How can I prevent this? I feel certain
> that someone has set a standard that we can stand by if a legal matter came
> up regarding the security of our site, not to mention having this would
> encourage our users to feel safe entering their data.
>
> Please direct me to the right place or answer these questions directly if
> you can as I'm a bit lost on where else to look. Thank you in advance for
> your help!
>
> --
> John Carrell
> 1002 B W. Pine St.
> Missoula, MT, 59802
> 630 650 5157
>
>

Received on Thursday, 20 May 2010 05:01:00 UTC