TalkPHP

TalkPHP (http://www.talkphp.com/forums.php)
-   General (http://www.talkphp.com/general/)
-   -   Securing sensitive data in a database (http://www.talkphp.com/general/2414-securing-sensitive-data-database.html)

Jmz 03-04-2008 09:47 AM
Securing sensitive data in a database
 
We might be starting a new project at work for a doctors surgery. But because the database will contain information such as patient notes etc. I'm worried about security.

Is it sufficiently secure to store sensitive information like this as plain text in a MySQL database? Or should we look at encrypting it in some way, bearing in mind some of the notes may be quite long.

Alan @ CIT 03-04-2008 10:27 AM
I would imagine that the partners at the surgery will demand encryption. It's worth bearing in a mind though that both Emis on the GP side and ISoft PAS on the hospital side all store their patient data unencyrpted, just with multiple levels of security in front of it.

Most of the emis practices in this region for example use a username/password combo then the choose & book smartcards and pin numbers as an additional protection level.

It would also be worth checking if the government has guidelines about storing patient data. It sounds like something they would have published a paper on :-)

Alan

flyingbuddha 03-04-2008 10:30 AM
As long as the database is password protected you're fine.

Alan @ CIT 03-04-2008 10:40 AM
A few more resrouces for you Jmz :-)

Information Security Management: NHS Code of Practice : Department of Health - Publications
Cryptographic services for the NHS : Department of Health - Managing your organisation
http://nww.connectingforhealth.nhs.uk/igsecurity/gpg/ (need to be on an N3 link to view)

And one last piece of advice, have a chat with your Trusts IT Security chaps as well.

At the end of the day, this is patient data and you can't be too careful. If it did get stolen, you'd be screwed :-)

Alan

Jmz 03-04-2008 02:01 PM
Thanks for the replies, I'll check out those links Alan :)

The weird thing is, we've been asked to have a look at their current system so that we can add some more functionality to it and it seems seriously insecure, passwords aren't encrypted, the db is stored on a cheap host and the app seems to include half the files from osCommerce :-/.

It really is a disgrace, we're going to advise them that the whole thing is unusable and should be scrapped so I want to make sure we can tell them exactly why they shouldn't use it.

Alan @ CIT 03-04-2008 05:13 PM
Glad I'm not a patient at that practice by the sounds of it :-D

Any application that is like the one you've described is just a nightmare waiting to happen. One that also holds patient data is a lawsuit waiting to happen :-)

Good luck with the project! :-D

Alan


All times are GMT. The time now is 03:10 AM.

Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.1.0