Hello all, first time poster, long time reader. I have been studying
PHP and web development for a while now but have never taken on a paid
project with it until now. I have been asked by a dermatology clinic
to redesign their website with a portion that allows the patient to
create an account with the site and enter their personal information
so it is ready for the doctors to access when the patient arrives for
a check up.
My concern is that this requires some pretty sensitive information
being submitted and stored in our database. We plan to use SSL for
that whole segment of the site and MD5'd passwords and salted
encryption for the data, but I was wondering if you guys had any
suggestions on how I may take security to the next level with the
resources at hand (PHP/MySQL back-end, Network Solutions is the host).
Speaking of NS, the doctors asked that I cut cost as best I can and NS
has a free shared SSL cert. available that would just use a different
URL (under their fixed IP domain).. would that be a viable low-cost
solution or is there a security concern with a shared certificate?
My last question is about PDF. When the customer enters their patient
history, etc. into the site the doctors would like it to generate a
PDF file with all their info so all the patient has to do is print it
out and bring it in all nice and pretty. I know full well how to pull
that off with ColdFusion, but I was hoping there would be an easy
solution with PHP to do the same thing. All I can find so far is very
in-depth and complex work-arounds.
Thanks for any help that you may provide!!!
- Keith
casperghosty at gmail , com
9  1688 
On 22 Sep, 08:23, transpar3nt <caspergho...@g mail.comwrote:
Hello all, first time poster, long time reader. *I have been studying
PHP and web development for a while now but have never taken on a paid
project with it until now. *I have been asked by a dermatology clinic
to redesign their website with a portion that allows the patient to
create an account with the site and enter their personal information
so it is ready for the doctors to access when the patient arrives for
a check up.
My concern is that this requires some pretty sensitive information
being submitted and stored in our database. *We plan to use SSL for
that whole segment of the site and MD5'd passwords and salted
encryption for the data, but I was wondering if you guys had any
suggestions on how I may take security to the next level with the
resources at hand (PHP/MySQL back-end, Network Solutions is the host).
It depends what you consider to be the next level. I tend to build
this sort of stuff within a secure CMS.
Speaking of NS, the doctors asked that I cut cost as best I can and NS
has a free shared SSL cert. available that would just use a different
URL (under their fixed IP domain).. would that be a viable low-cost
solution or is there a security concern with a shared certificate?
My last question is about PDF. *When the customer enters their patient
history, etc. into the site the doctors would like it to generate a
PDF file with all their info so all the patient has to do is print it
out and bring it in all nice and pretty. *I know full well how to pull
that off with ColdFusion, but I was hoping there would be an easy
solution with PHP to do the same thing. *All I can find so far is very
in-depth and complex work-arounds.
FPDF makes this easy. Couple this with HTML2PDF and it gets even
easier.
transpar3nt wrote:
My last question is about PDF. When the customer enters their patient
history, etc. into the site the doctors would like it to generate a PDF
file with all their info so all the patient has to do is print it out
and bring it in all nice and pretty.
This can be done with fpdf, which can produce PDFs. You typically program
this like: select this font, but this text there, etc.
transpar3nt wrote:
Hello all, first time poster, long time reader. I have been studying
PHP and web development for a while now but have never taken on a paid
project with it until now. I have been asked by a dermatology clinic
to redesign their website with a portion that allows the patient to
create an account with the site and enter their personal information
so it is ready for the doctors to access when the patient arrives for
a check up.
My concern is that this requires some pretty sensitive information
being submitted and stored in our database. We plan to use SSL for
that whole segment of the site and MD5'd passwords and salted
encryption for the data, but I was wondering if you guys had any
suggestions on how I may take security to the next level with the
resources at hand (PHP/MySQL back-end, Network Solutions is the host).
Speaking of NS, the doctors asked that I cut cost as best I can and NS
has a free shared SSL cert. available that would just use a different
URL (under their fixed IP domain).. would that be a viable low-cost
solution or is there a security concern with a shared certificate?
My last question is about PDF. When the customer enters their patient
history, etc. into the site the doctors would like it to generate a
PDF file with all their info so all the patient has to do is print it
out and bring it in all nice and pretty. I know full well how to pull
that off with ColdFusion, but I was hoping there would be an easy
solution with PHP to do the same thing. All I can find so far is very
in-depth and complex work-arounds.
Thanks for any help that you may provide!!!
- Keith
casperghosty at gmail , com
Keith,
If you're in the U.S., you are correct to be worried about security.
Before starting on anything dealing with the medical profession, you
need to research HIPAA regulations and insure you follow them.
And BTW - I would never collect any of this information on anything but
an in-house host. You need physical security of the host, also.
--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attgl obal.net
=============== ===
transpar3nt wrote:
Hello all, first time poster, long time reader. I have been studying
PHP and web development for a while now but have never taken on a paid
project with it until now. I have been asked by a dermatology clinic
to redesign their website with a portion that allows the patient to
create an account with the site and enter their personal information
so it is ready for the doctors to access when the patient arrives for
a check up.
My concern is that this requires some pretty sensitive information
being submitted and stored in our database. We plan to use SSL for
that whole segment of the site and MD5'd passwords and salted
encryption for the data, but I was wondering if you guys had any
suggestions on how I may take security to the next level with the
resources at hand (PHP/MySQL back-end, Network Solutions is the host).
Speaking of NS, the doctors asked that I cut cost as best I can and NS
has a free shared SSL cert. available that would just use a different
URL (under their fixed IP domain).. would that be a viable low-cost
solution or is there a security concern with a shared certificate?
My last question is about PDF. When the customer enters their patient
history, etc. into the site the doctors would like it to generate a
PDF file with all their info so all the patient has to do is print it
out and bring it in all nice and pretty. I know full well how to pull
that off with ColdFusion, but I was hoping there would be an easy
solution with PHP to do the same thing. All I can find so far is very
in-depth and complex work-arounds.
Thanks for any help that you may provide!!!
- Keith
casperghosty at gmail , com
Hi Keith,
I'd recommend you separate the user side and the admin side as much as
possible. Create separate DB users for your client facing pages and your
admin pages and lock down the permissions, maybe make the sensitive data
table write only to the client facing user.
Also you can have the admin pages accessed from a different domain name
with HHTP Auth and your own authorization scheme, maybe tied to IP if
you want to get really serious. If it's not too inconvenient for your
client you could also put all you admin pages outside the webroot and
have them access them via SSH.
Naturally make sure to protect your scripts from XSS and SQL injection.
If you want to demonstrate due diligence it might be a good idea to
write a test script that tries to access critical files / folders /
scripts, maybe including a few of the more common tricks and run it
every time you make mods to the site just to make sure you haven't
broken any security / opened any holes.
Lastly if it's very critical stuff consider not keeping it on the server
at all. You could come upwith a schem where you have their details on
file and they just use a username/patient number on the website.
Alternatively you can encrypt sensitive data with GPG and e-mail it to
the surgery. With the right thunderbird plugin the encryption would be
transparent to them.
Hope some of this helps :-)
Roger.
On Sep 22, 8:53*am, r0g <aioe....@techn icalbloke.comwr ote:
Thank you for you replies, I'll admit that I am a bit over my head
(not that I can't perform most of these things but the resources are
limited, i.e. the server is not in-house and the budget would not
allow for that.) There's a company called MedFusion that deals with a
lot of doctors office web sites that will provide all of the security
necessary with all regulations considered, but the office I'm dealing
with doesn't have the service in their budget.
I'll see what I can do from here, especially with FPDF. Any other
advice is always welcome!
- Keith
transpar3nt wrote:
On Sep 22, 8:53 am, r0g <aioe....@techn icalbloke.comwr ote:
Thank you for you replies, I'll admit that I am a bit over my head
(not that I can't perform most of these things but the resources are
limited, i.e. the server is not in-house and the budget would not
allow for that.) There's a company called MedFusion that deals with a
lot of doctors office web sites that will provide all of the security
necessary with all regulations considered, but the office I'm dealing
with doesn't have the service in their budget.
I'll see what I can do from here, especially with FPDF. Any other
advice is always welcome!
- Keith
Fair enough, it'd recommend they spring for at least a VPS hosting
package though, the flexibility is very useful and oldschool shared
servers just aren't secure enough for potentially sensitive data
(although I'd admit neither are badly configured VPS!)
Good luck with it all,
Roger.
r0g wrote:
transpar3nt wrote:
>On Sep 22, 8:53 am, r0g <aioe....@techn icalbloke.comwr ote:
Thank you for you replies, I'll admit that I am a bit over my head
(not that I can't perform most of these things but the resources are
limited, i.e. the server is not in-house and the budget would not
allow for that.) There's a company called MedFusion that deals with a
lot of doctors office web sites that will provide all of the security
necessary with all regulations considered, but the office I'm dealing
with doesn't have the service in their budget.
I'll see what I can do from here, especially with FPDF. Any other
advice is always welcome!
- Keith
Fair enough, it'd recommend they spring for at least a VPS hosting
package though, the flexibility is very useful and oldschool shared
servers just aren't secure enough for potentially sensitive data
(although I'd admit neither are badly configured VPS!)
Good luck with it all,
Roger.
Neither is a correctly configured VPS. The hosting company still has
full access to all the scripts and data on the server.
Physical security is one of the HIPAA requirements.
--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attgl obal.net
=============== ===
Jerry Stuckle wrote:
r0g wrote:
>transpar3nt wrote:
>>On Sep 22, 8:53 am, r0g <aioe....@techn icalbloke.comwr ote:
Thank you for you replies, I'll admit that I am a bit over my head
(not that I can't perform most of these things but the resources are
limited, i.e. the server is not in-house and the budget would not
allow for that.) There's a company called MedFusion that deals with a
lot of doctors office web sites that will provide all of the security
necessary with all regulations considered, but the office I'm dealing
with doesn't have the service in their budget.
I'll see what I can do from here, especially with FPDF. Any other
advice is always welcome!
- Keith
Fair enough, it'd recommend they spring for at least a VPS hosting
package though, the flexibility is very useful and oldschool shared
servers just aren't secure enough for potentially sensitive data
(although I'd admit neither are badly configured VPS!)
Good luck with it all,
Roger.
Neither is a correctly configured VPS. The hosting company still has
full access to all the scripts and data on the server.
Physical security is one of the HIPAA requirements.
Interesting, I haven't read the HIPAA requirements but I don't see how a
VPS with encrypted filesystem is any different to a dedicated server in
this regard, they're both (hopefully) in a secure datacenter. Still it
wouldn't been the first time a government has mandated kneejerk IT
policy without regard to the subtleties.
Here in the UK we've got a right mess with different bits of the NHS
scrambling around and coming up with their own implementation of the
directive to encrypt all data that leaves the premises. Of course the
government will happily issue directives like this and then not tell
anyone what to use so hospital trusts are pissing away money on ironkeys
and (mutually exclusive) commercial encryption programs when they should
all really be using truecrypt, or at least the same thing as each other!
Roger.
r0g wrote:
Jerry Stuckle wrote:
>r0g wrote:
>>transpar3nt wrote:
On Sep 22, 8:53 am, r0g <aioe....@techn icalbloke.comwr ote:
Thank you for you replies, I'll admit that I am a bit over my head
(not that I can't perform most of these things but the resources are
limited, i.e. the server is not in-house and the budget would not
allow for that.) There's a company called MedFusion that deals with a
lot of doctors office web sites that will provide all of the security
necessary with all regulations considered, but the office I'm dealing
with doesn't have the service in their budget.
I'll see what I can do from here, especially with FPDF. Any other
advice is always welcome!
- Keith
Fair enough, it'd recommend they spring for at least a VPS hosting
package though, the flexibility is very useful and oldschool shared
servers just aren't secure enough for potentially sensitive data
(although I'd admit neither are badly configured VPS!)
Good luck with it all,
Roger.
Neither is a correctly configured VPS. The hosting company still has
full access to all the scripts and data on the server.
Physical security is one of the HIPAA requirements.
Interesting, I haven't read the HIPAA requirements but I don't see how a
VPS with encrypted filesystem is any different to a dedicated server in
this regard, they're both (hopefully) in a secure datacenter. Still it
wouldn't been the first time a government has mandated kneejerk IT
policy without regard to the subtleties.
Here in the UK we've got a right mess with different bits of the NHS
scrambling around and coming up with their own implementation of the
directive to encrypt all data that leaves the premises. Of course the
government will happily issue directives like this and then not tell
anyone what to use so hospital trusts are pissing away money on ironkeys
and (mutually exclusive) commercial encryption programs when they should
all really be using truecrypt, or at least the same thing as each other!
Roger.
Neither has physical security and generally do not meet HIPAA requirements.
The only possibility for a hosted server would be a public/private key
where the encrypted data is downloaded before decryption. Otherwise, it
means keeping the server in-house, where you can control the physical
security and access to it.
--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attgl obal.net
=============== === This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Brian Oster |
last post by:
After applying security patch MS03-031 (Sql server ver 8.00.818) a
query that used to execute in under 2 seconds, now takes over 8
Minutes to complete. Any ideas on what the heck might be going on?
I have tested this extensively and can say for certain that installing
this hot fix is what has caused the performance problem. I just don't
know why or how to fix it.
Brian Oster
|
by: Nicolae Fieraru |
last post by:
Hi All,
I am working on a web site in asp which will be hosted on a Windows 2003
server.
I use the following code to connect to the database:
Set objConn = Server.CreateObject("ADODB.Connection")
Set objRS1 = Server.CreateObject("ADODB.Recordset")
objConn.Provider = "Microsoft.Jet.OLEDB.4.0"
|
by: Mike MacSween |
last post by:
S**t for brains strikes again!
Why did I do that? When I met the clients and at some point they vaguely
asked whether eventually would it be possible to have some people who could
read the data and some who couldn't but that it wasn't important right now.
And I said, 'sure, we can do that later'.
So now I've developed an app without any thought to security and am trying
to apply it afterwards. Doh!, doh! and triple doh!
|
by: WebMatrix |
last post by:
Hello,
I have developed a web application that connects to 2 different database
servers. The connection strings with db username + password are stored in
web.config file.
After a code review, one developer suggested that it's a security flaw;
therefore connection strings should be kept somewhere else or encrypted.
My argument is that web.config file is protected by IIS and Windows security
which is the case. And another argument is that...
|
by: allyn44 |
last post by:
HI--a simple question about access security--am having brain lock--if
I make queries read only to a chosen user group (as defined by access
security) will they stil be able to open forms based on sql statements
in the Record source property of the form?
I have most of my forms based on SQL statements in the record source
property of the form (drawing from more than one table)--as I
understand these they are not stored queries?
So I...
| | |
by: Oenone |
last post by:
I've been working on migration of my company's VB6 ASP system to VB2005 over
the last year or so, and am currently presenting my findings and recommended
course of action to our management team. One of the concerns that has been
raised is with regard to the .dll files that form our service being placed
into a directory within the publically available web site (i.e., the bin
directory).
We have long held the view that private files...
|
by: himilecyclist |
last post by:
My State government organization has written a PHP/MySQL application
which has been in production for about 6 months and has been highly
successful.
We are now embarking on a similar database application, but one with
much higher security concerns (birth data). Prior to beginning the
project, we met with an oversight committee who strongly advised
against PHP and suggested Java. Their concern was that PHP could not
be trusted to...
|
by: Earl Anderson |
last post by:
First, I feel somewhat embarrassed and apologetic that this post is lengthy,
but in an effort to furnish sufficient information (as opposed to too little
information) to you, I wanted to supply all of the relevant facts. Second,
despite the fact that I think the obvious 'quick' answer to my question
would be 'Yes', I am seeking your wisdom and recommendation to the question
as to this particular set of circumstances.
I have 20 Security...
|
by: =?Utf-8?B?TWFuanJlZSBHYXJn?= |
last post by:
Hi,
I created a web service and hosted it in Windows Services. It is working
fine. Now I am trying to implement the X509 certificates for message layer
security. But it is throwing the following exception:
An unhandled exception of type
'System.ServiceModel.Security.SecurityNegotiationException' occurred in
mscorlib.dll
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
| | |
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| | |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |
