[thelist] Security - Shared Hosting & Medical Records

fstorr fffrancis at fstorr.demon.co.uk
Sat Aug 9 12:53:30 CDT 2003


> 1. What unique securty concerns should be considered when 
> hosting in a shared hosting environment?
> 
> 2. Is it safe to store sensitive medical and/or financial 
> data in a site on a shared server?
> 
> 3. Should I be considering a dedicated server for sensitive 
> data, or is shared space just fine if it is treated properly?

+++++++

Hi Bill

I don't know where you're based (UK, USA etc), but medical records, in
the UK at least, one of the most highly regulated and controlled areas
that there is.  I work for a large international company that offers
private medical insurance, and the security we have is immense.  We also
have regular staff training that is required by bodies such as the
Financial Services Authority (FSA) and the General Insurance Standards
Council (GISC).

I would *strongly* suggest that you do not use a shared environment.
I'd even say don't use a co-located server.  People's medical records
are so sensitive, that it is just not worth the risk.  Bear in mind not
only the loss of reputation of your company/client but also that people
will be in various states of distress when ill.  The last thing you want
to have to do is inform people who are very ill that there's been a
problem with their personal data.

In the UK we have to deal with the Office of the Information
Commissioner (http://www.dataprotection.gov.uk/) - he has the power to
close down companies if they are found to be in breach of data
protection law.  A brief google on "office of the information
commissioner" brings back results for UK, Ireland, Canada, Australia and
others.

I would recommend you search out the relavent government department for
your country that deals with data protection and the like before you
start doing much more work.  It is a legislative minefield, but in this
case, it really does need to be.

If you are in the UK, I might be able to help some more - contact me
offlist.

Regards

Francis




More information about the thelist mailing list