Online Student Health System risk assessment

[Gary Flynn <flynngn () JMU EDU>]

Hi,

We're assessing an online student health system project
consisting of bringing up a web server and application
to front-end the current Health Center's internal Medicat
system. It would be used to schedule appointments, submit
immunization records and other forms, view records, and
communicate with care providers.

http://www.medicat.com/product_online_student_health.php

Did those of you have implemented a similar system take any
extra security protection steps above and beyond other
online applications like student administration self
service?

For example,

1. Are you using reusable password authentication or something
   stronger?

2. Are you using a common campus-wide same/single-signon account
   used for things like e-mail, network access, and student
   registration to access the online health system?

3. Are you using a web application firewall in front of the
   application? If so, was it purchased specifically for
   this system?

4. Did you pen-test the application?

Also, who monitors and administers the application - internal
staff or the vendor?

Thanks for any information.


--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature