TotalChoice Hosting Family Forums > Shared Server/simple Reseller Security

Full Version: Shared Server/simple Reseller Security

TotalChoice Hosting Family Forums > TotalChoice Hosting General Support > Security Discussions

chip

Mar 18 2008, 08:52 PM

I have a Simple Reseller's account which I assume is on a shared machine. One of my customers, who is in the medical QA/QI business, is using a MySQL database with some PHP generated data entry pages I created to store generic data on procedures and things. Now my customer wants to include scanned images and/or generated PDF files which may contain personal information such as name, address, phone numbers, etc. I want to put them in a folder not the database and link them to their appropriate record.

HIPAA, Health Insurance Portability and Accountability Act, is the governing law that I am trying to comply with.

My questions are numerous but for now just a sampling: I would like to figure out what kind of security I have, if I need any additional security ie. do I need to encrypt, what type of folder security do I have, is the server itself secure, who and what has access to my files, do I need a dedicated server, etc.

Ultimately I am trying to make sure that I can cover my butt and lock this stuff down so only the appropriate people have access to it. I am still very new with Linux and this reseller stuff. Any insite, suggestions, help (on or off forum) would be greatly appreciated.

Chip Patterson

TCH-MikeJ

Mar 18 2008, 09:01 PM

QUOTE

Covered entities that out-source some of their business processes to a third party must ensure that their vendors also have a framework in place to comply with HIPAA requirements. Companies typically gain this assurance through clauses in the contracts stating that the vendor will meet the same data protection requirements that apply to the covered entity. Care must be taken to determine if the vendor further out-sources any data handling functions to other vendors and monitor whether appropriate contracts and controls are in place.

QUOTE

Information systems housing PHI must be protected from intrusion. When information flows over open networks, some form of encryption must be utilized. If closed systems/networks are utilized, existing access controls are considered sufficient and encryption is optional.

Among other things documented at Wikipedia.

Generally speaking, but I'm not experience with HIPAA specifically, but a shared server environment generally would not fit within the HIPAA rules as I read them. TCH keeps their servers pretty secure, but there are always limitations when dealing with shared environments.

A dedicated server coupled with encryption (at least as far as the data leaving the server, such as using SSL on the website) *might* qualify.

If in doubt, though, consulting a lawyer experienced with HIPAA is a wise idea, rather than jeopardizing personal information and/or incurring a lawsuit.

chip

Mar 19 2008, 01:17 AM

QUOTE (TCH-MikeJ @ Mar 18 2008, 09:01 PM)

Thanks Mike for getting back to me.

I basically got the same reading you did right from the HIPAA website. My thoughts were also the same about a shared server but wanted to double check with someone from TCH to see if I was missing anything. Seems I may be missing a lot. Will speak to the people that really know about laws governing this.

As usual you guys are great!

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.