Security concerns...

Hello all, first time poster, long time reader. *I have been studying
PHP and web development for a while now but have never taken on a paid
project with it until now. *I have been asked by a dermatology clinic
to redesign their website with a portion that allows the patient to
create an account with the site and enter their personal information
so it is ready for the doctors to access when the patient arrives for
a check up.
>
My concern is that this requires some pretty sensitive information
being submitted and stored in our database. *We plan to use SSL for
that whole segment of the site and MD5'd passwords and salted
encryption for the data, but I was wondering if you guys had any
suggestions on how I may take security to the next level with the
resources at hand (PHP/MySQL back-end, Network Solutions is the host).

Speaking of NS, the doctors asked that I cut cost as best I can and NS
has a free shared SSL cert. available that would just use a different
URL (under their fixed IP domain).. would that be a viable low-cost
solution or is there a security concern with a shared certificate?
>
My last question is about PDF. *When the customer enters their patient
history, etc. into the site the doctors would like it to generate a
PDF file with all their info so all the patient has to do is print it
out and bring it in all nice and pretty. *I know full well how to pull
that off with ColdFusion, but I was hoping there would be an easy
solution with PHP to do the same thing. *All I can find so far is very
in-depth and complex work-arounds.

My last question is about PDF. When the customer enters their patient
history, etc. into the site the doctors would like it to generate a PDF
file with all their info so all the patient has to do is print it out
and bring it in all nice and pretty.

Hello all, first time poster, long time reader. I have been studying
PHP and web development for a while now but have never taken on a paid
project with it until now. I have been asked by a dermatology clinic
to redesign their website with a portion that allows the patient to
create an account with the site and enter their personal information
so it is ready for the doctors to access when the patient arrives for
a check up.
>
My concern is that this requires some pretty sensitive information
being submitted and stored in our database. We plan to use SSL for
that whole segment of the site and MD5'd passwords and salted
encryption for the data, but I was wondering if you guys had any
suggestions on how I may take security to the next level with the
resources at hand (PHP/MySQL back-end, Network Solutions is the host).
Speaking of NS, the doctors asked that I cut cost as best I can and NS
has a free shared SSL cert. available that would just use a different
URL (under their fixed IP domain).. would that be a viable low-cost
solution or is there a security concern with a shared certificate?
>
My last question is about PDF. When the customer enters their patient
history, etc. into the site the doctors would like it to generate a
PDF file with all their info so all the patient has to do is print it
out and bring it in all nice and pretty. I know full well how to pull
that off with ColdFusion, but I was hoping there would be an easy
solution with PHP to do the same thing. All I can find so far is very
in-depth and complex work-arounds.
>
Thanks for any help that you may provide!!!
>
- Keith
casperghosty at gmail , com
>

Hello all, first time poster, long time reader. I have been studying
PHP and web development for a while now but have never taken on a paid
project with it until now. I have been asked by a dermatology clinic
to redesign their website with a portion that allows the patient to
create an account with the site and enter their personal information
so it is ready for the doctors to access when the patient arrives for
a check up.
>
My concern is that this requires some pretty sensitive information
being submitted and stored in our database. We plan to use SSL for
that whole segment of the site and MD5'd passwords and salted
encryption for the data, but I was wondering if you guys had any
suggestions on how I may take security to the next level with the
resources at hand (PHP/MySQL back-end, Network Solutions is the host).
Speaking of NS, the doctors asked that I cut cost as best I can and NS
has a free shared SSL cert. available that would just use a different
URL (under their fixed IP domain).. would that be a viable low-cost
solution or is there a security concern with a shared certificate?
>
My last question is about PDF. When the customer enters their patient
history, etc. into the site the doctors would like it to generate a
PDF file with all their info so all the patient has to do is print it
out and bring it in all nice and pretty. I know full well how to pull
that off with ColdFusion, but I was hoping there would be an easy
solution with PHP to do the same thing. All I can find so far is very
in-depth and complex work-arounds.
>
Thanks for any help that you may provide!!!
>
- Keith
casperghosty at gmail , com

On Sep 22, 8:53 am, r0g <aioe....@technicalbloke.comwrote:
>
Thank you for you replies, I'll admit that I am a bit over my head
(not that I can't perform most of these things but the resources are
limited, i.e. the server is not in-house and the budget would not
allow for that.) There's a company called MedFusion that deals with a
lot of doctors office web sites that will provide all of the security
necessary with all regulations considered, but the office I'm dealing
with doesn't have the service in their budget.
>
I'll see what I can do from here, especially with FPDF. Any other
advice is always welcome!
>
- Keith

transpar3nt wrote:>
Fair enough, it'd recommend they spring for at least a VPS hosting
package though, the flexibility is very useful and oldschool shared
servers just aren't secure enough for potentially sensitive data
(although I'd admit neither are badly configured VPS!)
>
Good luck with it all,
>
Roger.
>

r0g wrote:>
Neither is a correctly configured VPS. The hosting company still has
full access to all the scripts and data on the server.
>
Physical security is one of the HIPAA requirements.
>

Jerry Stuckle wrote:>
Interesting, I haven't read the HIPAA requirements but I don't see how a
VPS with encrypted filesystem is any different to a dedicated server in
this regard, they're both (hopefully) in a secure datacenter. Still it
wouldn't been the first time a government has mandated kneejerk IT
policy without regard to the subtleties.
>
Here in the UK we've got a right mess with different bits of the NHS
scrambling around and coming up with their own implementation of the
directive to encrypt all data that leaves the premises. Of course the
government will happily issue directives like this and then not tell
anyone what to use so hospital trusts are pissing away money on ironkeys
and (mutually exclusive) commercial encryption programs when they should
all really be using truecrypt, or at least the same thing as each other!
>
Roger.
>