Jump to content
GreaseSpot Cafe

Website Security question


Steve!
 Share

Recommended Posts

Yeah, I know this is the Open forum. But I wanted more exposure for this thread because there is such diverse knowledge and experience here at the G-Spot, and I didn't want this thread to only be seen by technogeeks.

At my company, we deal with pharmacies - 55,000 of them across the US. My company owns about 5000 of them.

Pharmacies have pharmacists - 3 or 4 each, generally.

So we're talking in the range of 200,000 users for a new website that is being developed.

The website will make available to these pharmacists a gihujic amount of prescription records and medical records - all of the recorded data regarding their own customers.

The problem is - we need to figure out some sort of authentication for all of these users. First we have to figure out a way to verify that each person is who he says he is, and that he has the right to log into the website.

Let me backtrack a bit and mention that we contract with pharmacIES, not pharmacISTS.

Second, we need a way to make sure that these pharmacists are blocked from logging in if they should leave employment of their pharmacy.

There are other minor issues as well, but if we deal with the 2 big ones, the other ones will be a piece of cake.

So has anyone dealt with internet security before? Any ideas on what we could do?

Link to comment
Share on other sites

Steve, although they are not cheap, you should consider a Sonicwall. It is a firewall appliance, and provides for mulitple vpn tunnels. The client has to load the software on thier computer to get access to your site. It's one of the most secure options available, and they are even HIPAA compliant. I have set up a few for my clients and they aren't hard to get up and running, although to truely secure your network you should plan on reading a lot of documentation before installing it.

***Edit...that should have read HIPAA Certified, not compliant.***

For more info, click HERE

Rick

Link to comment
Share on other sites

Hmmm, that could be interesting.

50,000+ vpn tunnels, though?

And I wouldn't be responsible for installing it - we are an $8 Billion company, we've got a department for that kind of thing.

The HIPAA part is a very good thing. After all, it is medical/prescription data that the pharmacists will be looking at.

For those of you that don't know: HIPAA stands for Health Information Portability Accountability Act. It's a set of regulations dealing with medical information. If, for example, I were to view personal data in the course of my job, and print it out, I would have to shred that document when I was done with it.

Bluzeman, I figured you would be one of the responders to this thread.

I'll have to look that up, and see if it would be cost effective enough, and feasible in other ways. That sounds really good.

Link to comment
Share on other sites

There are many levels of Sonicwall devices that you can purchase. They range from about 600 dollars up to 3,000. I believe with the higher-end ones you can even have unlimited VPN's but keep in mind that these are concurrent connections. First step would be to evaluate how many connections would be active at any given time.

One thing that you should have on ANY server is strong passwords. I'm amazed at how many times I will get a new client and find out that people use passwords like the name of thier husband/wife/dog/cat, whatever. Password ageing should also be enforced...for example, forcing a password change every 30 days. If your organization is running a win 2k3 server, with Directory Services, there is a lot you can do for security with the tools you already have. First and foremost though, is disable anonymous access on your web server. Make every connection require a login.

OK, enough rambling. icon_smile.gif:)--> Here is a site that has a password generator that will give you some really strong passwords. http://www.winguides.com/security/password.php

Rick

Link to comment
Share on other sites

Yeah, I saw on that site that they have a machine that would handle up to 750K concurrent connections, sweet.

We already enforce medium strength passwords, and ageing - but our ageing is set at 60 days.

And no question, there's absolutely no anonymous login to anything secure. We *do* have some nonsecure web pages that need to stay that way, but this new website will have nothing unsecure.

Link to comment
Share on other sites

I agree with the VPN solution that bluzeman proposed. Not particularly familiar with Sonicwall, but, one thing to remember is that a two-factor security is needed on the client side. A solution that provides that is the familiar RSA Keyfob. Another is an iKey (http://www.safenet-inc.com/products/tokens/ikey1000.asp). Now, if you use role-based security on your database, you can control access through the user table on the database...you can kill access with a single keystroke (more on that below)

Also, one thing that some vendors will try is saying they are "HIPAA Certified." This is what HHS says about "HIPAA Certified" hardware and software:

Question

Is HHS going to create and publish a list of Federally “certified” security software and off-the-shelf products?

Answer

While HHS will not produce such a list of security software and off-the-shelf products, it should be pointed out that other Government agencies such as the National Institute of Standards and Technology (NIST) are working towards that end. The health care industry is encouraged to monitor the activity of NIST and provide comments and suggestions when requested (see http://www.niap.nist.gov.).

HHS HIPAA FAQ Web Site

There are specific requirements in the HIPAA Security Rule and the Privacy Rule that must be considered...certain vendors have set their solutions up to be compliant with those requirements, if installed and used per vendor instructions, but there is NO SUCH THING as HIPAA-certified software or hardware!

Anyway, the other thing I would concern myself with is the configuration of your application, the topography it will ride upon. I would suggest that you use a n-tier configuration, with the web server running in the DMZ (no duh, of course) and the database itself behind another firewall. Have the servlet be the only entity that has access to the database directly. Configure the database to use a role-based access and grant NO ONE access to the tables directly...only through views. Therefore the users establish a VPN connection to the web server (accessible only through the VPN tunnel, not just simply establishing a SSL connection) and the web server accesses the database. The users are not allowed direct access to the database, itself. The use of role-based security on your database can ensure that only authorized users are granted access...and then only to the entities and attributes they need to see (defined by the various and sundry views you create when designing the database). You grant them privileges on a least-privilege basis (they must be GRANTed access to any view, rather than REVOKEing access to those views they don't need). Also, if you are informed that an employee is terminated, it is a simple matter to take them out of the user file and they lose everything...even if they take their keyfob, iKey, or whatever with them.

That the kind of stuff you're looking for?

Link to comment
Share on other sites

Yes! That's exactly the kind of stuff we need.

And I even had to use an RSA keyfob at my last job, I forgot all about those!

As for topography, user database, etc - those are already established, and in the fashion you describe.

And secure pages are already restricted in terms of database access - we do use views, and the data access occurs not in the servlet but on the server. The servlets merely format the display of the data.

Great, thanks guys!

See, I *knew* I'd get good answers here!

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...