Fred is a busy small business CEO. He hired a cheap developer online to setup his secure medical web site for him. The developer got an SSL certificate and setup pages where patients can make appointments and the doctor can receive patient requests and notices, “securely”. However, the developer didn’t have any real training in security and none in HIPAA and as a result, PHI was being sent in the clear, there were no audit trails or logs, SSL security was not enforced, and may other serious issues plagued the site. No one knew.
Luckily, Fred was made aware of the situation before a serious security breach happened (that he knew of); however, he had to re-do the site from scratch, more than doubling his time and money costs.
Creating a web site that has “secure” components requires more than slapping together some web pages and adding an SSL Certificate. All a certificate really does is create a thin veneer of security — one that does not go very far to protect whatever sensitive data necessitated security in the first place. In fact, naive attempts at security can ultimately make the data less secure and more likely to be compromised by creating an appetizing target for the unscrupulous.
So, beyond paying big bucks to hire a developer with significant security expertise, what do you do? Start with this article — its purpose is to shed light on many of the most significant factors in secure web site programming/design and what you can do to address them. At a minimum, reading this article will help you to intelligently discuss your web site security with the developers that you ultimately hire.
Read the rest of this post »