Steve, although they are not cheap, you should consider a Sonicwall. It is a firewall appliance, and provides for mulitple vpn tunnels. The client has to load the software on thier computer to get access to your site. It's one of the most secure options available, and they are even HIPAA compliant. I have set up a few for my clients and they aren't hard to get up and running, although to truely secure your network you should plan on reading a lot of documentation before installing it.
***Edit...that should have read HIPAA Certified, not compliant.***
And I wouldn't be responsible for installing it - we are an $8 Billion company, we've got a department for that kind of thing.
The HIPAA part is a very good thing. After all, it is medical/prescription data that the pharmacists will be looking at.
For those of you that don't know: HIPAA stands for Health Information Portability Accountability Act. It's a set of regulations dealing with medical information. If, for example, I were to view personal data in the course of my job, and print it out, I would have to shred that document when I was done with it.
Bluzeman, I figured you would be one of the responders to this thread.
I'll have to look that up, and see if it would be cost effective enough, and feasible in other ways. That sounds really good.
There are many levels of Sonicwall devices that you can purchase. They range from about 600 dollars up to 3,000. I believe with the higher-end ones you can even have unlimited VPN's but keep in mind that these are concurrent connections. First step would be to evaluate how many connections would be active at any given time.
One thing that you should have on ANY server is strong passwords. I'm amazed at how many times I will get a new client and find out that people use passwords like the name of thier husband/wife/dog/cat, whatever. Password ageing should also be enforced...for example, forcing a password change every 30 days. If your organization is running a win 2k3 server, with Directory Services, there is a lot you can do for security with the tools you already have. First and foremost though, is disable anonymous access on your web server. Make every connection require a login.
Yeah, I saw on that site that they have a machine that would handle up to 750K concurrent connections, sweet.
We already enforce medium strength passwords, and ageing - but our ageing is set at 60 days.
And no question, there's absolutely no anonymous login to anything secure. We *do* have some nonsecure web pages that need to stay that way, but this new website will have nothing unsecure.
I agree with the VPN solution that bluzeman proposed. Not particularly familiar with Sonicwall, but, one thing to remember is that a two-factor security is needed on the client side. A solution that provides that is the familiar RSA Keyfob. Another is an iKey (http://www.safenet-inc.com/products/tokens/ikey1000.asp). Now, if you use role-based security on your database, you can control access through the user table on the database...you can kill access with a single keystroke (more on that below)
Also, one thing that some vendors will try is saying they are "HIPAA Certified." This is what HHS says about "HIPAA Certified" hardware and software:
Question
Is HHS going to create and publish a list of Federally “certified” security software and off-the-shelf products?
Answer
While HHS will not produce such a list of security software and off-the-shelf products, it should be pointed out that other Government agencies such as the National Institute of Standards and Technology (NIST) are working towards that end. The health care industry is encouraged to monitor the activity of NIST and provide comments and suggestions when requested (see http://www.niap.nist.gov.).
There are specific requirements in the HIPAA Security Rule and the Privacy Rule that must be considered...certain vendors have set their solutions up to be compliant with those requirements, if installed and used per vendor instructions, but there is NO SUCH THING as HIPAA-certified software or hardware!
Anyway, the other thing I would concern myself with is the configuration of your application, the topography it will ride upon. I would suggest that you use a n-tier configuration, with the web server running in the DMZ (no duh, of course) and the database itself behind another firewall. Have the servlet be the only entity that has access to the database directly. Configure the database to use a role-based access and grant NO ONE access to the tables directly...only through views. Therefore the users establish a VPN connection to the web server (accessible only through the VPN tunnel, not just simply establishing a SSL connection) and the web server accesses the database. The users are not allowed direct access to the database, itself. The use of role-based security on your database can ensure that only authorized users are granted access...and then only to the entities and attributes they need to see (defined by the various and sundry views you create when designing the database). You grant them privileges on a least-privilege basis (they must be GRANTed access to any view, rather than REVOKEing access to those views they don't need). Also, if you are informed that an employee is terminated, it is a simple matter to take them out of the user file and they lose everything...even if they take their keyfob, iKey, or whatever with them.
And I even had to use an RSA keyfob at my last job, I forgot all about those!
As for topography, user database, etc - those are already established, and in the fashion you describe.
And secure pages are already restricted in terms of database access - we do use views, and the data access occurs not in the servlet but on the server. The servlets merely format the display of the data.
Next week, I'll try to extract some database, web, and EDI questions from a HIPAA security assessment dataset we have for doing assessments. Send me a PM with your e-mail and I'll shoot it over to you.
Recommended Posts
Cindy!
I guess "Mother, may I?" is out of the question
Link to comment
Share on other sites
Steve!
Probably. But that *would* make a great name for a security software, or for a net nanny kind of thing!
Link to comment
Share on other sites
Bluzeman
Steve, although they are not cheap, you should consider a Sonicwall. It is a firewall appliance, and provides for mulitple vpn tunnels. The client has to load the software on thier computer to get access to your site. It's one of the most secure options available, and they are even HIPAA compliant. I have set up a few for my clients and they aren't hard to get up and running, although to truely secure your network you should plan on reading a lot of documentation before installing it.
***Edit...that should have read HIPAA Certified, not compliant.***
For more info, click HERE
Rick
Link to comment
Share on other sites
Steve!
Hmmm, that could be interesting.
50,000+ vpn tunnels, though?
And I wouldn't be responsible for installing it - we are an $8 Billion company, we've got a department for that kind of thing.
The HIPAA part is a very good thing. After all, it is medical/prescription data that the pharmacists will be looking at.
For those of you that don't know: HIPAA stands for Health Information Portability Accountability Act. It's a set of regulations dealing with medical information. If, for example, I were to view personal data in the course of my job, and print it out, I would have to shred that document when I was done with it.
Bluzeman, I figured you would be one of the responders to this thread.
I'll have to look that up, and see if it would be cost effective enough, and feasible in other ways. That sounds really good.
Link to comment
Share on other sites
Bluzeman
There are many levels of Sonicwall devices that you can purchase. They range from about 600 dollars up to 3,000. I believe with the higher-end ones you can even have unlimited VPN's but keep in mind that these are concurrent connections. First step would be to evaluate how many connections would be active at any given time.
One thing that you should have on ANY server is strong passwords. I'm amazed at how many times I will get a new client and find out that people use passwords like the name of thier husband/wife/dog/cat, whatever. Password ageing should also be enforced...for example, forcing a password change every 30 days. If your organization is running a win 2k3 server, with Directory Services, there is a lot you can do for security with the tools you already have. First and foremost though, is disable anonymous access on your web server. Make every connection require a login.
OK, enough rambling.
:)--> Here is a site that has a password generator that will give you some really strong passwords. http://www.winguides.com/security/password.php
Rick
Link to comment
Share on other sites
Steve!
Yeah, I saw on that site that they have a machine that would handle up to 750K concurrent connections, sweet.
We already enforce medium strength passwords, and ageing - but our ageing is set at 60 days.
And no question, there's absolutely no anonymous login to anything secure. We *do* have some nonsecure web pages that need to stay that way, but this new website will have nothing unsecure.
Link to comment
Share on other sites
markomalley
I agree with the VPN solution that bluzeman proposed. Not particularly familiar with Sonicwall, but, one thing to remember is that a two-factor security is needed on the client side. A solution that provides that is the familiar RSA Keyfob. Another is an iKey (http://www.safenet-inc.com/products/tokens/ikey1000.asp). Now, if you use role-based security on your database, you can control access through the user table on the database...you can kill access with a single keystroke (more on that below)
Also, one thing that some vendors will try is saying they are "HIPAA Certified." This is what HHS says about "HIPAA Certified" hardware and software:
Question
Is HHS going to create and publish a list of Federally “certified” security software and off-the-shelf products?
Answer
While HHS will not produce such a list of security software and off-the-shelf products, it should be pointed out that other Government agencies such as the National Institute of Standards and Technology (NIST) are working towards that end. The health care industry is encouraged to monitor the activity of NIST and provide comments and suggestions when requested (see http://www.niap.nist.gov.).
HHS HIPAA FAQ Web Site
There are specific requirements in the HIPAA Security Rule and the Privacy Rule that must be considered...certain vendors have set their solutions up to be compliant with those requirements, if installed and used per vendor instructions, but there is NO SUCH THING as HIPAA-certified software or hardware!
Anyway, the other thing I would concern myself with is the configuration of your application, the topography it will ride upon. I would suggest that you use a n-tier configuration, with the web server running in the DMZ (no duh, of course) and the database itself behind another firewall. Have the servlet be the only entity that has access to the database directly. Configure the database to use a role-based access and grant NO ONE access to the tables directly...only through views. Therefore the users establish a VPN connection to the web server (accessible only through the VPN tunnel, not just simply establishing a SSL connection) and the web server accesses the database. The users are not allowed direct access to the database, itself. The use of role-based security on your database can ensure that only authorized users are granted access...and then only to the entities and attributes they need to see (defined by the various and sundry views you create when designing the database). You grant them privileges on a least-privilege basis (they must be GRANTed access to any view, rather than REVOKEing access to those views they don't need). Also, if you are informed that an employee is terminated, it is a simple matter to take them out of the user file and they lose everything...even if they take their keyfob, iKey, or whatever with them.
That the kind of stuff you're looking for?
Link to comment
Share on other sites
Steve!
Yes! That's exactly the kind of stuff we need.
And I even had to use an RSA keyfob at my last job, I forgot all about those!
As for topography, user database, etc - those are already established, and in the fashion you describe.
And secure pages are already restricted in terms of database access - we do use views, and the data access occurs not in the servlet but on the server. The servlets merely format the display of the data.
Great, thanks guys!
See, I *knew* I'd get good answers here!
Link to comment
Share on other sites
Bluzeman
I agree about the tiered approach. I assume they already have the database on a seperate machine from the web server. That's just good practice.
As far as the HIPAA Certified, I went and looked and sure enough, they've taken that image off of thier website.
Rick
Link to comment
Share on other sites
markomalley
Next week, I'll try to extract some database, web, and EDI questions from a HIPAA security assessment dataset we have for doing assessments. Send me a PM with your e-mail and I'll shoot it over to you.
Link to comment
Share on other sites
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.