On Fri, 4 Mar 2005 09:02:36 -0500, Claremont, Timothy <[EMAIL PROTECTED]> wrote: > This MAY be more a hosting question, but I am looking into how I can > best share sensitive PATIENT information over the internet to our > nursing staff out in the field. > > We have a CrystalTech shared hosting account, and have the typical SSL > directory available to us. I can even go so far as to ONLY store > information like Client Number instead of identifying information like > name, etc. I would simply provide the nursing staff with a physical > listing of patient and ID numbers. > > My question becomes, since we are on a shared server, what real security > do I have, even with an SSL directory available to me? And, when it > comes to CF, what are my options to maximize security under my > less-than-ideal environment? Am I asking too much?
My first reaction is you want to take to both your lawyer and to the legal staff responsible for the patient information about HIPPA requirements (assuming this is hosted in and for a US medical group). Having build several applications that contain relatively *trivial* patient information (name, email, contact phone number) for a major university hospital I'll simply warn you this area is *very* touchy and you definitely don't want to get caught in the crossfire! If you're using a host that has shared CFMX hosting, you're at their mercy as far as how well they set up sandboxes for each account (it's not that hard to script the servicefactory to get access to admin information for example). All SSL is going to do is encrypt the *transfer* of the information -- it's still potential vulnerable to CFFILE (or java io methods), the database is still potentiall accessible, and you're relying on the security safeguards of the host. There are companies that provide outsourced HIPPA-compliant hosting environments which would be a good starting point, but they are pricey. Without knowing all the details, but based on seeing some EMR (electronic medical records) implementations up close, I'd suggest considering hosting it internally (assuming you're already HIPPA-compliant) and using VPN externally into the application. <anecdote> As an aside, my favorite HIPPA moment with the legal team was when I built a VoiceXML reminder application (called patients weekly to remind them to fill out a research survey). The entire patient data required for the application was their name and their phone number. We hosted the app in the HIPPA environment at the hospital but used a 3rd party VoiceXML provider (Voxeo), so the ColdFusion app sent an HTTPS request to voxeo's server containing the patients name and phone number to actually make the phone call.... took weeks to clear with legal since the name and phone number (HIPPA privileged patient info) was being sent across an HTTPS connection to a Tier 1 hosting provider. They did allow that I could pass a non-identifying patient ID code. Of course you can't make a phone call without a phone number, so that wasn't all that useful. We eventually got permission to pass the phone number once we had written consent as part of joining the study. </anecdote> -- John Paul Ashenfelter CTO/Transitionpoint (blog) http://www.ashenfelter.com (email) [EMAIL PROTECTED] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:197443 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
