addressalign-toparrow-leftarrow-rightbackbellblockcalendarcameraccwcheckchevron-downchevron-leftchevron-rightchevron-small-downchevron-small-leftchevron-small-rightchevron-small-upchevron-upcircle-with-checkcircle-with-crosscircle-with-pluscontroller-playcredit-cardcrossdots-three-verticaleditemptyheartexporteye-with-lineeyefacebookfolderfullheartglobe--smallglobegmailgooglegroupshelp-with-circleimageimagesinstagramFill 1launch-new-window--smalllight-bulblinklocation-pinm-swarmSearchmailmessagesminusmoremuplabelShape 3 + Rectangle 1ShapeoutlookpersonJoin Group on CardStartprice-ribbonprintShapeShapeShapeShapeImported LayersImported LayersImported Layersshieldstartickettrashtriangle-downtriangle-uptwitteruserwarningyahoo

Dallas Open Source Saturday Message Board Dallas Open Source Saturday Discussion Forum › Last meeting, two open topics..

Last meeting, two open topics..

This message board is read-only.

John F.
user 2887386
Group Organizer
McKinney, TX
First, I want to thank everyone that came and I hope you got something from meeting each other. I know I did. Also, we normally have lunch after the meetup and that is when we really get to hash about specific problems. My family was in town and I could not stay for lunch last time.

But I remember two open topics from Andy and Ryan:

Andy's Question was the easiest way to assure HIPAA (http://en.wikipedia.o...­) compliance on a uploaded+downloadable file. The gist of which is privacy protection by keeping the data safe at every step in the chain of custody.

He had already made a service with secureFTP using openSSL server on windows, but that has certain administrative scalability issues. The usual gotcha of HIPAA is that you have to assure the file is unchanged while it was sitting on the disk waiting to be downloaded. The common method to address this is to basically exempt the server from the chain of custody by encrypting the file before it is saved to the server disk. I have been thinking on this and mulled it down to:

1) Week link in chain of custody
I assume the transmission is encrypted due to either SFTP or HTTPS. But it is most likely hosted on a shared server which according to HIPAA is suspect.
A) User side encryption
- zips the file with a password before uploading (using 7zip perhaps?)
B) Server side encryption
- HTTP: uploaded stream gets zip'd before it hits the disk
- or stores on an encrypted volume (server is in custody chain this way)

2) Meta data and workflow
These are forms, with data relevant to routing. The server should not be able to read the data in the form (HIPAA: that would be a questionable open link in the chain). With SFTP the user places the file in a directory on the server, thereby routing the file. With an HTTPS upload form the user can provide multiple pieces of recipient routing data plus sender contact info, all out-of-band so to speak.

This all becomes critical if you are going to offload administration to the users or provide any workflow features.

3) Programs needed
For SFTP Andy could distribute portableFileZilla on a thumbdrive with a connection already configured, or provide a list of known good clients and config info to the users.
For HTTPS it would only require an URL and a web browser.

4) User Management/reporting
SFTP: Whatever interface the SFTP server has, and whatever logfiles it can produce.
HTTPS: Anything you can write or include in a library via PHP, ASP, etc.

So my recco is still a web app, where the server never stores or has the user encryption key. But that is more work compared to just documenting/training how to login and change the SFTP server settings and add users.

Andy: is that an accurate rendering of the problem/issues?

Ryan was needing to take a larger role in managing her LAMP server, currently hosted at the Planet.

Ryan: Can you give us a summary of what you have now and what you want to be doing so we can have a place to start from.

Everyone: Send feedback if you got it to the message board: http://opensource.mee...­

See you next month,
John Fields
Powered by mvnForum

People in this
Meetup are also in:

Sign up

Meetup members, Log in

By clicking "Sign up" or "Sign up using Facebook", you confirm that you accept our Terms of Service & Privacy Policy