Firewall Wizards mailing list archives
Secure site for medics
From: Alex Melichar <emfu01 () holyrood ed ac uk>
Date: Fri, 4 Dec 1998 14:01:23 +0000 (GMT)
Hi, I've been asked to come up with a recomendation for a secure medics site. I'm posting in the hope someone can point out major holes in my thoughts. Thanks in advance. The aim of the proposal is to have a database that contains sensitive patient data. This database is to be accessed by about 30-50 users (maybe more later) - all non-literate users (please think of users who ask what icons are. I'm meaning to deride them just that the solution has to be transaparent and secure). Their are several different locations they will be accessing the database from but will have Window (95 or NT) machines. The last part is the hardest: The administrator will have who printed what. So how does one provide a secure server? My thoughts are. Use Caldera Linux (comes with Sybase SQL server). Get Apache, get the SSLeay modules and use the server as a web server. As the UK has no restrictions on key size we can use 128 bit (thereby making it secure for sometime, important for patient data). Make the whole weeb site user-authorisation access only. To solve the print problem use a non-print friendly html page when information is asked for (say a patients records) and have print friendly pages where prescriptions can be printed from (given that people log in a list of who asked for what pritn page can be compiled). Where is this solution weak (in terms of how can patient data be accessed by unathorised users - this server will be left in a lecked location so i'd prefer answers of how someone can get at it from the outside not the inside)? Personal thoughts: Given that the server will only be a web server (no mail, no ftp, etc.) and nothing else, i can't see any immediate holes. Also there will be only a very small turnover of users and as this is patient data, human engineering is unlikely to work (doctors are used to junkies asking for free prescription pads etc). As access will be using only SSL (v3?) i can't see leaks when data is going over the net. Essentially i think this will work. However i have this feeling of "I'm missing something *huge*". As this is a firewall mailing list, something more on topic: What firewall protection do need to implement? I hope that i don't need to as i'll only allow ssl connections....If i need to can it done cheaply and what do people suggest? Thanks in advance. Alex -------------------------------------------------------------
Current thread:
- Secure site for medics Alex Melichar (Dec 04)
- Re: Secure site for medics Bennett Todd (Dec 07)
- Re: Secure site for medics Steve George (Dec 07)
- RE: Secure site for medics Shawn Stevens (Dec 08)
- Re: Secure site for medics Adam Shostack (Dec 07)
- Re: Secure site for medics Kent Hoxsey (Dec 07)
- <Possible follow-ups>
- RE: Secure site for medics Alex Melichar (Dec 07)
- RE: Secure site for medics James D. Wilson (Dec 07)