Posted by webviper on November 13, 2012 at 12:11am
Say somebody was working on a Drupal site that contained highly personal medical data and thus required a very high level of security. What issues should that person be concerned with and what Drupal modules would be useful in delivering this higher level of security?
Comments
=-=
Drupal offers no security in this area. There are all kinds of HIPPA laws that would need to considered and utilizing open source software isn't likely going to pass that scrutiny.
how so?
There are absolutely organizations using Drupal that have gone through various compliance processes and received certification (Acquia being one), so I'm curious if you have specific examples of organizations or things in Drupal to support your claim that OSS isn't likely to pass such scrutiny?
=-=
Is the above stated in reference to compliance processes and certification with a focus on HIPAA?
My "isn't likely" isn't based on examples or organizations. It's based on the lack of specific examples, or data whether marketing, white papers or otherwise to support an "is likely" to pass such scrutiny claim with specific reference to HIPAA.
By all means if you personally, or as a representative of Acquia have data to support an "is likely" claim with specific reference to HIPAA and the methods of compliance with HIPAA standards where it concerns patient medical information, I'd surely like to read through it both as a Drupal community member and a more importantly a consumer of healthcare.
Drupal has passed some
Drupal has passed some government certifications, but this area can get hairy very quickly. I'm not aware of anything in Drupal land that meets HIPAA standards though. If you're really serious, try getting in touch with Acquia - they have many more conversations with govts and may have more up to date information.
issues and links
You should be concerned with the most popular risks and you should utilize some security-related contributed modules and build in certain actions into your processes to ensure a high level of security. There's no easy button or silver bullet here, a secure site (Drupal or not) requires a strong and consistent approach to various risks, internal and external.
There's not a beginning-to-end process document for securing your Drupal site that I'm aware of, but here are some links to get you started:
* Is Drupal secure: http://drupal.org/documentation/is-drupal-secure
* What are the risks? OWASP publishes a generalized top ten list: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
* Top Drupal-specific risks are Cross-Site Scripting, Access Bypass and Cross-Site Request Forgery (source http://drupalsecurityreport.org/)
* What is the "state" of Drupal and security: http://drupalsecurityreport.org/
There are more articles on Drupal security at http://drupalscout.com/knowledge-base. For security-related contributed modules you can see an organized list at http://drupal.org/node/382752 and a proof-of-concept "Hardened Drupal" is at http://drupal.org/project/hardened_drupal.
Sensitive Data, but not HIPAA
I'm working on a similar project--but luckily not medically-related.
It took a while, but luckily the client even approved of moving to a third-party payment processor (who is PCI compliant) for taking bank card transactions!
Aside from that, this client handles rental property, and needs to take personally identifiable information (such as driver's licenses, other IDs and addresses) to establish credit worthiness and payment history for prospective clients.
Beyond any doubt, the sites will need to be on SSL, and have tiered access, and have NO sensitive data passed through via unsecured (non-PGP) e-mail.
What safeguards are required, though, to make a good-faith effort to stay on the right side of privacy laws and keep the sensitive data limited to authorized users?