Encryption

[Stooney]

I've been tasked with creating a hipaa compliant website.  Read Here for a quick rundown on the hipaa requirements I need to meet (assuming it's accurate).

 

Where do I start?  I've never really worked with web encryption before.  The website is for storing and transferring files containing patient data.  Based on what I know right now, I plan to encrypt all files as they're stored, but I do not know what type of algorithm or what language this should be done it (not sure if PHP is optimal for it, but I'm guessing).  Second, I assume SSL would be necessary.  That's all I know right now.

 

So does anyone have any experience with hipaa?  How should I go about encrypting/decrypting files stored on the web server?  Is there anything I'm missing?

 

Thanks in advance.

[xylex]

I probably wouldn't recommend starting out on a HIPAA covered app planning to do it all in PHP. 

 

Encryption is just a tiny piece of HIPAA.  Here's a more comprehensive list of requirements - http://www.cms.hhs.gov/EducationMaterials/Downloads/SecurityStandardsTechnicalSafeguards.pdf 

 

More important the encryption pieces are your access controls and logging.  You need to be able to track and report everything about who access/modifies the system in any way.  This in turn leads into a lot of database work, a lot of which also is also recommended/required to be encrypted under HIPAA, so using a database which supports row level encryption, such as Oracle DB, SQLServer, or DB2 usually comes in to play here.  PHP support for these other databases is there, but it's not nearly as widely used as MySQL or Postgres, so you'll find less documentation, run into more bugs, see less development in these libraries, etc.  So for these reasons, I'd probably suggest looking into Java or C#, at least for your access control/logging requirements.

 

And not trying to be rude, but if you're not feeling fully up on web system security practices or understand what all you need to do for HIPAA, I would really recommend finding someone with this experience who can at least guide you and review your system design and code regularly.  If you can't get that resource, you may want to reconsider taking this project on.

[Stooney]

Thank you for that Xylex, that's much better documentation than I've found so far. 

 

As for your suggestion to not take on the project alone with my current experience I completely agree.  I will be sure either my work is reviewed by a professional or the project is just given to a professional.  There's no rush so we'll figure that out.

[ober]

I couldn't agree more with xylex on this.  I work for a company that manages patient data and we have an entire department that ensures that we stay compliant and another department that does all the testing on our core functionality.

 

This is not something to mess around with.  You can get into some deep shit if you mess that stuff up.