Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.
By deighve on
I am looking to develop a site that would have a user profile that contains personal health information. Is drupal secure enough for this. Would it be possible to control that specific information in another way where it would be protected? Anyone with experience developing hippa compliant sites...
Thanks.
Dave
Comments
Well it is all dependent on
Well it is all dependent on your database as far as i know. a good book to look at is PRO drupal development as it has an excellent section on security and issues to look at. nothing is 100 percent secure as anyone with a myspace or hotmail email can attest to. Drupal out of the box is pretty tight as far as security goes. but check out the book to see for your self... im interested in the replys youll get as well
I'm not sure that I can give
I'm not sure that I can give you any advice without a great deal more information. When you say "personal health information", are we talking about PHI in the HIPAA sense of the acronym? Are you a covered entity under HIPAA? What types of EPHI would pass through your Drupal system? Do you envision it being stored in the Drupal database?
Obviously, Drupal has extensive user account controls, a fine-grained permissions system, etc. Without knowing more about what you are wanting to do, it is hard to say, but storing data in a Drupal system per se is not so much the problem. You will likely have to do a good bit of customization on any system you use, however. Depending on your application and how you interpret the HIPAA guidelines, you're probably talking about adding two-factor authentication, a white-list of allowed IP addresses, strong encryption for data transmittal, and possibly other things, as a start.
All this is very do-able, but I think it is fair to say that Drupal's target market is not HIPAA compliance "out of the box." But, I'm not aware of a CMS that does target this need "out of the box", and you could certainly build much of this into Drupal easier than some other CMS packages I have worked with.
Again, though, it all depends on what you want or need to do.
--keith
hipaa is very complicated
I have worked with healthcare before and hipaa has very complicated requirements. A site could certainly be built in drupal that would satisfy the regulations and I would be available to do this if you are interested. However the frequency of high level security warnings with drupal would be worrying to me. What would happen if the site is technically hipaa compliant but a hacker exploits one of the security flaws to access the user information?
No system, including ones
No system, including ones that are "technically hipaa compliant", is immune to potential security problems.
The vast majority of security advisories issued relative to Drupal are in contributed modules; obviously in a site containing sensitive data, one must be very very careful to do security reviews on modules before they are installed.
Actually, the presence of an very active security team at Drupal.org is a plus IMO, not a minus.
--keith
Thanks guys
I would actually need many plugin modules to do what I want, so maybe this isn't the best option. It is too bad, because the community here seams great.
What is the alternative?
Not to say that Drupal is the answer, but I have to wonder: What are your alternatives? A canned commercial system that will warrant HIPAA compliance and post a bond to cover you in case of data compromise? Write a system from scratch yourself and pay somebody to audit it? There are more possible scenarios, but I wonder what options you think are viable.
Drupal and HIPAA
Drupal allows you to have independent database access and even independent database hosting access. So you can have the "common" Drupal stuff in one DB, users in another, patient in another, etc.
One can be MySQL, another can be PostgreSQL and you can even make your own DB module.
You can even have your authentication completely independent from Drupal using OpenID, LDAP or other even more powerfull auth system.
This is all controled by how you develop your own modules and what modules you install.
What else you can benefit from Drupal just from scratch? CCK, Views, Panels, Web Services, Form, etc, etc... -- all those are CORE modules that are checked -- which will allow you to be much more productive in your efforts.
Check Neospire. They have both HIPPA and Drupal hosting.
Check also this presentation here (PDF) on Drupal and Security ;)
Humaneasy Consulting
iPublicis!COM
www.humaneasy.com
www.ipublicis.com
CSM & CSPO
drupal security releases is good thing
The frequency of security-fixing Drupal releases is a good thing. No computer system is immune to security flaws, so the best you can do is to assume that *all* software everywhere is full of security problems, and that the more that get fixed by dedicated security teams, the less security flaws it has.
Thanks, NSK Nikolaos S. Karastathis
audit the code
You need to hire a security consultant to audit the source code of Drupal according to your security requirements.
You also need to have available staff to ensure that when/if your site is compromised you can respond quickly within hours to solve any problems.
Thanks, NSK Nikolaos S. Karastathis
Hipaa Security Rule
The regulations that cover Hipaa are called the Hipaa security rules and most of these are best practice types of things you should be doing anyway such as having a security officer, password policies, risk analysis etc.
With one exception --encryption-- there are few mandates and in general the amount of effort you need to put into system security is commensurate with the size of your organization. (For example, a large insurance company is held to a higher standard than your local drug store.)
Encryption is required so your site must be run with SSL. A good password policy would also seem to be indicated as a reasonable best practice and here is where I find Drupal weak.
We use Drupal for PHI but we do our own authentication and most of the compliance effort is dealing with non-Drupal issues such as server access, firewalls etc. I find that Drupal's security is better than anything we could build ourselves.