Jump to content
chip

Shared Server/simple Reseller Security

Recommended Posts

I have a Simple Reseller's account which I assume is on a shared machine. One of my customers, who is in the medical QA/QI business, is using a MySQL database with some PHP generated data entry pages I created to store generic data on procedures and things. Now my customer wants to include scanned images and/or generated PDF files which may contain personal information such as name, address, phone numbers, etc. I want to put them in a folder not the database and link them to their appropriate record.

 

HIPAA, Health Insurance Portability and Accountability Act, is the governing law that I am trying to comply with.

 

My questions are numerous but for now just a sampling: I would like to figure out what kind of security I have, if I need any additional security ie. do I need to encrypt, what type of folder security do I have, is the server itself secure, who and what has access to my files, do I need a dedicated server, etc.

 

Ultimately I am trying to make sure that I can cover my butt and lock this stuff down so only the appropriate people have access to it. I am still very new with Linux and this reseller stuff. Any insite, suggestions, help (on or off forum) would be greatly appreciated.

 

Chip Patterson :helpsmilie:

Share this post


Link to post
Share on other sites
Covered entities that out-source some of their business processes to a third party must ensure that their vendors also have a framework in place to comply with HIPAA requirements. Companies typically gain this assurance through clauses in the contracts stating that the vendor will meet the same data protection requirements that apply to the covered entity. Care must be taken to determine if the vendor further out-sources any data handling functions to other vendors and monitor whether appropriate contracts and controls are in place.

 

Information systems housing PHI must be protected from intrusion. When information flows over open networks, some form of encryption must be utilized. If closed systems/networks are utilized, existing access controls are considered sufficient and encryption is optional.

 

Among other things documented at Wikipedia.

 

Generally speaking, but I'm not experience with HIPAA specifically, but a shared server environment generally would not fit within the HIPAA rules as I read them. TCH keeps their servers pretty secure, but there are always limitations when dealing with shared environments.

 

A dedicated server coupled with encryption (at least as far as the data leaving the server, such as using SSL on the website) *might* qualify.

 

If in doubt, though, consulting a lawyer experienced with HIPAA is a wise idea, rather than jeopardizing personal information and/or incurring a lawsuit.

Share this post


Link to post
Share on other sites
Among other things documented at Wikipedia.

 

Generally speaking, but I'm not experience with HIPAA specifically, but a shared server environment generally would not fit within the HIPAA rules as I read them. TCH keeps their servers pretty secure, but there are always limitations when dealing with shared environments.

 

A dedicated server coupled with encryption (at least as far as the data leaving the server, such as using SSL on the website) *might* qualify.

 

If in doubt, though, consulting a lawyer experienced with HIPAA is a wise idea, rather than jeopardizing personal information and/or incurring a lawsuit.

 

Thanks Mike for getting back to me.

 

I basically got the same reading you did right from the HIPAA website. My thoughts were also the same about a shared server but wanted to double check with someone from TCH to see if I was missing anything. Seems I may be missing a lot. Will speak to the people that really know about laws governing this.

 

As usual you guys are great!

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...