473,699 Members | 2,380 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Security concerns...

Hello all, first time poster, long time reader. I have been studying
PHP and web development for a while now but have never taken on a paid
project with it until now. I have been asked by a dermatology clinic
to redesign their website with a portion that allows the patient to
create an account with the site and enter their personal information
so it is ready for the doctors to access when the patient arrives for
a check up.

My concern is that this requires some pretty sensitive information
being submitted and stored in our database. We plan to use SSL for
that whole segment of the site and MD5'd passwords and salted
encryption for the data, but I was wondering if you guys had any
suggestions on how I may take security to the next level with the
resources at hand (PHP/MySQL back-end, Network Solutions is the host).
Speaking of NS, the doctors asked that I cut cost as best I can and NS
has a free shared SSL cert. available that would just use a different
URL (under their fixed IP domain).. would that be a viable low-cost
solution or is there a security concern with a shared certificate?

My last question is about PDF. When the customer enters their patient
history, etc. into the site the doctors would like it to generate a
PDF file with all their info so all the patient has to do is print it
out and bring it in all nice and pretty. I know full well how to pull
that off with ColdFusion, but I was hoping there would be an easy
solution with PHP to do the same thing. All I can find so far is very
in-depth and complex work-arounds.

Thanks for any help that you may provide!!!

- Keith
casperghosty at gmail , com
Sep 22 '08 #1
9 1665
On 22 Sep, 08:23, transpar3nt <caspergho...@g mail.comwrote:
Hello all, first time poster, long time reader. *I have been studying
PHP and web development for a while now but have never taken on a paid
project with it until now. *I have been asked by a dermatology clinic
to redesign their website with a portion that allows the patient to
create an account with the site and enter their personal information
so it is ready for the doctors to access when the patient arrives for
a check up.

My concern is that this requires some pretty sensitive information
being submitted and stored in our database. *We plan to use SSL for
that whole segment of the site and MD5'd passwords and salted
encryption for the data, but I was wondering if you guys had any
suggestions on how I may take security to the next level with the
resources at hand (PHP/MySQL back-end, Network Solutions is the host).
It depends what you consider to be the next level. I tend to build
this sort of stuff within a secure CMS.
Speaking of NS, the doctors asked that I cut cost as best I can and NS
has a free shared SSL cert. available that would just use a different
URL (under their fixed IP domain).. would that be a viable low-cost
solution or is there a security concern with a shared certificate?

My last question is about PDF. *When the customer enters their patient
history, etc. into the site the doctors would like it to generate a
PDF file with all their info so all the patient has to do is print it
out and bring it in all nice and pretty. *I know full well how to pull
that off with ColdFusion, but I was hoping there would be an easy
solution with PHP to do the same thing. *All I can find so far is very
in-depth and complex work-arounds.
FPDF makes this easy. Couple this with HTML2PDF and it gets even
easier.
Sep 22 '08 #2
transpar3nt wrote:
My last question is about PDF. When the customer enters their patient
history, etc. into the site the doctors would like it to generate a PDF
file with all their info so all the patient has to do is print it out
and bring it in all nice and pretty.
This can be done with fpdf, which can produce PDFs. You typically program
this like: select this font, but this text there, etc.
Sep 22 '08 #3
transpar3nt wrote:
Hello all, first time poster, long time reader. I have been studying
PHP and web development for a while now but have never taken on a paid
project with it until now. I have been asked by a dermatology clinic
to redesign their website with a portion that allows the patient to
create an account with the site and enter their personal information
so it is ready for the doctors to access when the patient arrives for
a check up.

My concern is that this requires some pretty sensitive information
being submitted and stored in our database. We plan to use SSL for
that whole segment of the site and MD5'd passwords and salted
encryption for the data, but I was wondering if you guys had any
suggestions on how I may take security to the next level with the
resources at hand (PHP/MySQL back-end, Network Solutions is the host).
Speaking of NS, the doctors asked that I cut cost as best I can and NS
has a free shared SSL cert. available that would just use a different
URL (under their fixed IP domain).. would that be a viable low-cost
solution or is there a security concern with a shared certificate?

My last question is about PDF. When the customer enters their patient
history, etc. into the site the doctors would like it to generate a
PDF file with all their info so all the patient has to do is print it
out and bring it in all nice and pretty. I know full well how to pull
that off with ColdFusion, but I was hoping there would be an easy
solution with PHP to do the same thing. All I can find so far is very
in-depth and complex work-arounds.

Thanks for any help that you may provide!!!

- Keith
casperghosty at gmail , com
Keith,

If you're in the U.S., you are correct to be worried about security.
Before starting on anything dealing with the medical profession, you
need to research HIPAA regulations and insure you follow them.

And BTW - I would never collect any of this information on anything but
an in-house host. You need physical security of the host, also.

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attgl obal.net
=============== ===

Sep 22 '08 #4
r0g
transpar3nt wrote:
Hello all, first time poster, long time reader. I have been studying
PHP and web development for a while now but have never taken on a paid
project with it until now. I have been asked by a dermatology clinic
to redesign their website with a portion that allows the patient to
create an account with the site and enter their personal information
so it is ready for the doctors to access when the patient arrives for
a check up.

My concern is that this requires some pretty sensitive information
being submitted and stored in our database. We plan to use SSL for
that whole segment of the site and MD5'd passwords and salted
encryption for the data, but I was wondering if you guys had any
suggestions on how I may take security to the next level with the
resources at hand (PHP/MySQL back-end, Network Solutions is the host).
Speaking of NS, the doctors asked that I cut cost as best I can and NS
has a free shared SSL cert. available that would just use a different
URL (under their fixed IP domain).. would that be a viable low-cost
solution or is there a security concern with a shared certificate?

My last question is about PDF. When the customer enters their patient
history, etc. into the site the doctors would like it to generate a
PDF file with all their info so all the patient has to do is print it
out and bring it in all nice and pretty. I know full well how to pull
that off with ColdFusion, but I was hoping there would be an easy
solution with PHP to do the same thing. All I can find so far is very
in-depth and complex work-arounds.

Thanks for any help that you may provide!!!

- Keith
casperghosty at gmail , com

Hi Keith,

I'd recommend you separate the user side and the admin side as much as
possible. Create separate DB users for your client facing pages and your
admin pages and lock down the permissions, maybe make the sensitive data
table write only to the client facing user.

Also you can have the admin pages accessed from a different domain name
with HHTP Auth and your own authorization scheme, maybe tied to IP if
you want to get really serious. If it's not too inconvenient for your
client you could also put all you admin pages outside the webroot and
have them access them via SSH.

Naturally make sure to protect your scripts from XSS and SQL injection.

If you want to demonstrate due diligence it might be a good idea to
write a test script that tries to access critical files / folders /
scripts, maybe including a few of the more common tricks and run it
every time you make mods to the site just to make sure you haven't
broken any security / opened any holes.

Lastly if it's very critical stuff consider not keeping it on the server
at all. You could come upwith a schem where you have their details on
file and they just use a username/patient number on the website.
Alternatively you can encrypt sensitive data with GPG and e-mail it to
the surgery. With the right thunderbird plugin the encryption would be
transparent to them.

Hope some of this helps :-)

Roger.
Sep 22 '08 #5
On Sep 22, 8:53*am, r0g <aioe....@techn icalbloke.comwr ote:

Thank you for you replies, I'll admit that I am a bit over my head
(not that I can't perform most of these things but the resources are
limited, i.e. the server is not in-house and the budget would not
allow for that.) There's a company called MedFusion that deals with a
lot of doctors office web sites that will provide all of the security
necessary with all regulations considered, but the office I'm dealing
with doesn't have the service in their budget.

I'll see what I can do from here, especially with FPDF. Any other
advice is always welcome!

- Keith
Sep 22 '08 #6
r0g
transpar3nt wrote:
On Sep 22, 8:53 am, r0g <aioe....@techn icalbloke.comwr ote:

Thank you for you replies, I'll admit that I am a bit over my head
(not that I can't perform most of these things but the resources are
limited, i.e. the server is not in-house and the budget would not
allow for that.) There's a company called MedFusion that deals with a
lot of doctors office web sites that will provide all of the security
necessary with all regulations considered, but the office I'm dealing
with doesn't have the service in their budget.

I'll see what I can do from here, especially with FPDF. Any other
advice is always welcome!

- Keith
Fair enough, it'd recommend they spring for at least a VPS hosting
package though, the flexibility is very useful and oldschool shared
servers just aren't secure enough for potentially sensitive data
(although I'd admit neither are badly configured VPS!)

Good luck with it all,

Roger.
Sep 22 '08 #7
r0g wrote:
transpar3nt wrote:
>On Sep 22, 8:53 am, r0g <aioe....@techn icalbloke.comwr ote:

Thank you for you replies, I'll admit that I am a bit over my head
(not that I can't perform most of these things but the resources are
limited, i.e. the server is not in-house and the budget would not
allow for that.) There's a company called MedFusion that deals with a
lot of doctors office web sites that will provide all of the security
necessary with all regulations considered, but the office I'm dealing
with doesn't have the service in their budget.

I'll see what I can do from here, especially with FPDF. Any other
advice is always welcome!

- Keith

Fair enough, it'd recommend they spring for at least a VPS hosting
package though, the flexibility is very useful and oldschool shared
servers just aren't secure enough for potentially sensitive data
(although I'd admit neither are badly configured VPS!)

Good luck with it all,

Roger.
Neither is a correctly configured VPS. The hosting company still has
full access to all the scripts and data on the server.

Physical security is one of the HIPAA requirements.

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attgl obal.net
=============== ===

Sep 22 '08 #8
r0g
Jerry Stuckle wrote:
r0g wrote:
>transpar3nt wrote:
>>On Sep 22, 8:53 am, r0g <aioe....@techn icalbloke.comwr ote:

Thank you for you replies, I'll admit that I am a bit over my head
(not that I can't perform most of these things but the resources are
limited, i.e. the server is not in-house and the budget would not
allow for that.) There's a company called MedFusion that deals with a
lot of doctors office web sites that will provide all of the security
necessary with all regulations considered, but the office I'm dealing
with doesn't have the service in their budget.

I'll see what I can do from here, especially with FPDF. Any other
advice is always welcome!

- Keith

Fair enough, it'd recommend they spring for at least a VPS hosting
package though, the flexibility is very useful and oldschool shared
servers just aren't secure enough for potentially sensitive data
(although I'd admit neither are badly configured VPS!)

Good luck with it all,

Roger.

Neither is a correctly configured VPS. The hosting company still has
full access to all the scripts and data on the server.

Physical security is one of the HIPAA requirements.
Interesting, I haven't read the HIPAA requirements but I don't see how a
VPS with encrypted filesystem is any different to a dedicated server in
this regard, they're both (hopefully) in a secure datacenter. Still it
wouldn't been the first time a government has mandated kneejerk IT
policy without regard to the subtleties.

Here in the UK we've got a right mess with different bits of the NHS
scrambling around and coming up with their own implementation of the
directive to encrypt all data that leaves the premises. Of course the
government will happily issue directives like this and then not tell
anyone what to use so hospital trusts are pissing away money on ironkeys
and (mutually exclusive) commercial encryption programs when they should
all really be using truecrypt, or at least the same thing as each other!

Roger.
Sep 22 '08 #9
r0g wrote:
Jerry Stuckle wrote:
>r0g wrote:
>>transpar3nt wrote:
On Sep 22, 8:53 am, r0g <aioe....@techn icalbloke.comwr ote:

Thank you for you replies, I'll admit that I am a bit over my head
(not that I can't perform most of these things but the resources are
limited, i.e. the server is not in-house and the budget would not
allow for that.) There's a company called MedFusion that deals with a
lot of doctors office web sites that will provide all of the security
necessary with all regulations considered, but the office I'm dealing
with doesn't have the service in their budget.

I'll see what I can do from here, especially with FPDF. Any other
advice is always welcome!

- Keith
Fair enough, it'd recommend they spring for at least a VPS hosting
package though, the flexibility is very useful and oldschool shared
servers just aren't secure enough for potentially sensitive data
(although I'd admit neither are badly configured VPS!)

Good luck with it all,

Roger.
Neither is a correctly configured VPS. The hosting company still has
full access to all the scripts and data on the server.

Physical security is one of the HIPAA requirements.

Interesting, I haven't read the HIPAA requirements but I don't see how a
VPS with encrypted filesystem is any different to a dedicated server in
this regard, they're both (hopefully) in a secure datacenter. Still it
wouldn't been the first time a government has mandated kneejerk IT
policy without regard to the subtleties.

Here in the UK we've got a right mess with different bits of the NHS
scrambling around and coming up with their own implementation of the
directive to encrypt all data that leaves the premises. Of course the
government will happily issue directives like this and then not tell
anyone what to use so hospital trusts are pissing away money on ironkeys
and (mutually exclusive) commercial encryption programs when they should
all really be using truecrypt, or at least the same thing as each other!

Roger.
Neither has physical security and generally do not meet HIPAA requirements.

The only possibility for a hosted server would be a public/private key
where the encrypted data is downloaded before decryption. Otherwise, it
means keeping the server in-house, where you can control the physical
security and access to it.

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attgl obal.net
=============== ===

Sep 22 '08 #10

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

3
3046
by: Brian Oster | last post by:
After applying security patch MS03-031 (Sql server ver 8.00.818) a query that used to execute in under 2 seconds, now takes over 8 Minutes to complete. Any ideas on what the heck might be going on? I have tested this extensively and can say for certain that installing this hot fix is what has caused the performance problem. I just don't know why or how to fix it. Brian Oster
4
2657
by: Nicolae Fieraru | last post by:
Hi All, I am working on a web site in asp which will be hosted on a Windows 2003 server. I use the following code to connect to the database: Set objConn = Server.CreateObject("ADODB.Connection") Set objRS1 = Server.CreateObject("ADODB.Recordset") objConn.Provider = "Microsoft.Jet.OLEDB.4.0"
116
7514
by: Mike MacSween | last post by:
S**t for brains strikes again! Why did I do that? When I met the clients and at some point they vaguely asked whether eventually would it be possible to have some people who could read the data and some who couldn't but that it wasn't important right now. And I said, 'sure, we can do that later'. So now I've developed an app without any thought to security and am trying to apply it afterwards. Doh!, doh! and triple doh!
14
3498
by: WebMatrix | last post by:
Hello, I have developed a web application that connects to 2 different database servers. The connection strings with db username + password are stored in web.config file. After a code review, one developer suggested that it's a security flaw; therefore connection strings should be kept somewhere else or encrypted. My argument is that web.config file is protected by IIS and Windows security which is the case. And another argument is that...
2
1436
by: allyn44 | last post by:
HI--a simple question about access security--am having brain lock--if I make queries read only to a chosen user group (as defined by access security) will they stil be able to open forms based on sql statements in the Record source property of the form? I have most of my forms based on SQL statements in the record source property of the form (drawing from more than one table)--as I understand these they are not stored queries? So I...
1
1467
by: Oenone | last post by:
I've been working on migration of my company's VB6 ASP system to VB2005 over the last year or so, and am currently presenting my findings and recommended course of action to our management team. One of the concerns that has been raised is with regard to the .dll files that form our service being placed into a directory within the publically available web site (i.e., the bin directory). We have long held the view that private files...
15
10499
by: himilecyclist | last post by:
My State government organization has written a PHP/MySQL application which has been in production for about 6 months and has been highly successful. We are now embarking on a similar database application, but one with much higher security concerns (birth data). Prior to beginning the project, we met with an oversight committee who strongly advised against PHP and suggested Java. Their concern was that PHP could not be trusted to...
18
2020
by: Earl Anderson | last post by:
First, I feel somewhat embarrassed and apologetic that this post is lengthy, but in an effort to furnish sufficient information (as opposed to too little information) to you, I wanted to supply all of the relevant facts. Second, despite the fact that I think the obvious 'quick' answer to my question would be 'Yes', I am seeking your wisdom and recommendation to the question as to this particular set of circumstances. I have 20 Security...
8
13334
by: =?Utf-8?B?TWFuanJlZSBHYXJn?= | last post by:
Hi, I created a web service and hosted it in Windows Services. It is working fine. Now I am trying to implement the X509 certificates for message layer security. But it is throwing the following exception: An unhandled exception of type 'System.ServiceModel.Security.SecurityNegotiationException' occurred in mscorlib.dll
0
8618
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
0
9178
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
0
9035
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
0
8885
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
0
5875
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
0
4376
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
1
3058
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
2
2348
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
3
2010
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.