Printable View
Hello all, I am in the development stages of designing webserver with a employee portal for my domain. I would like for the employees to access this portal internally and externally. After logging in they would have access to email and other things. What kind of security design is recommended? It needs to be something very strong, since this site deals with patient information. All input will be appreciated.
Atleast put the employee part behind SSL and use strong authentication. Like tokens and such.
Try to seperate the public part and the employee part. Preferably on different servers. Both have different security concerns and it's "easier" to protect both if you seperate them. Also if somebody "cracks" your public site they won't be able to get to the employee site.
Eventhough you use SSL and strong authentication you still need to make sure the application is secure too. This means input validation, preventing sql injection and XSS to name a few.
Greetings:
SirDice left out one major thing. It set off alarm bells in my head the second I read the word "patient information" in your description.
If you're in the healthcare industry, and if you're in the US, you need to be compliant with HIPPA. If you're not a security expert, and if you're not familiar with HIPPA, I STRONGLY STRONGLY STRONGLY suggest you hire someone to create this portal for you. (I think you'll find this portal can't be everything you're probably hoping for.)
With some areas it's fine to be a do-it-yourself learn-as-you-go type of administrator. Dealing with patient information, and making sure you're HIPPA compliant, is not one of those areas.
You can read more about HIPPA from the US Health and Human Services website at http://www.hhs.gov/ocr/hipaa/
JP speaks the truth, there are certain times when you just gotta call in an expert that nows the specific regulations.
You don't build a house with out first consulting the local building codes, and you certainly don't go putting patient records online without following HIPPA.
The implications of not are incredible. I read a very scary article one day about how open a lot of doctors offices are in regards to keeping electronic documentation, I wish I had it book marked, but it made you wonder about your medical provider and whether you should expect your identity to get "borrowed".
Quite scary!!!
Peace,
Dhej
I'm not a US citizen so I didn't know about HIPPA :D Good call!
Here in Holland we have rules and regulations regarding anyone's records, not just the medical ones.
Actually, they will not access any patient info. But they will access email and our intranet which is a monthly news letter. i thought this would be something simple to create?
Everything I've told you still holds up. Except maybe the strong authentication. Normal authentication could be enough but ymmv .
Anybody know of a certain website that will help me on creating secure websites?
You already found one ;)
Seriously, have a look through the archives and/or use the search function.
You can probably pick up a whole list of sites for your reading pleasure :)
This site is great! But is there a site that dedicates itself to web security?
http://www.cert.org/security-improve...s/m11.html#who
This site is a good place to start.
I don't think you are going to find a place that is going to lay it all out for you. The best thing to do is lay out a plan and do research on how it can be done. AntiOnline has allot of the information you'll need, but you'll have to figure out what applies to what you are doing. And remember if you can't find information on a specific thing post it here. The more specific the better.