Help Needed on Development of Doctors Website

[ascr689]

Hello,

    We have a small Web design company and use CMS made simple software. We are great at the design stuff, CSS, and HTML. However our knowledge with JavaScript and PHP coding is limited. We designed a website for a doctor that collects medical history using the form builder module. The form submits to database and then a script sends out email to doctor with patient information. We also used a free PDF generation script to go from PHP to PDF and send to doctor in the PDF format. The form is about 5 pages long and takes a while to complete by end user. This has been working about 85 percent of the time as we have had some users who get timeout errors and others we can discuss. I need to hire someone who really understands this form builder and can help me diagnose problem (whether it be server or code), as this is a real problem to have a patient fill out a form that takes 45 min and all the sudden loose all their work half way in.

    Secondly, I need help with a simple SSL redirect and global tags. Certain areas of the site like these history forms I have made HTTPS. However when navigating away from these pages the system stays in HTTPS: instead of going back to HTTP. This is causing a problem with load times…especially on pages with pictures and so forth. I remember creating a global tag and editing the config.php with some help document, but need help figuring the rest of this out.

I am in need of someone that could be available for future jobs and development work in CMS made simple as well. Please don't apply if cannot communicate through skype or phone. Can garantee payment through odesk or freelancer if prefered.

Thanks

[kermit]

if you're having problems with timeouts on form posting or slow page loading due to serving pages via ssl you need to take a look at the hosting environment.. a decent server or host won't have those issues...

you really ought to be running the site on it's own server in a secure data center (also hipaa compliant and sas-70 audited in the usa) or locked-up in a cabinet at the doctor's offices.   an ordinary shared host does not have the security the site requires.


note: the dev team is working on http/https issues for version 1.8.

[ascr689]

Thanks for the reply.

The hosting is from godaddy its not the cheapest shared hosting its on virtual shared i believe and should be hipaa complient? I was thinking that no information is stored on server from database as scripts simply genrate pdf from formbuilder and then discard. could TTL or ini memory need to be increased? any other ideas? I am willing to pay someone to work with me on this and figure it out.

As far as the security i am hoping someone can help me now with a work around or somthing. From reading it seams possible that this can be done but its over my head. (have specified pages HTTPS)

[calguy1000]

so you're telling me that you're storing personal medical information for customers in an UNSECURED WAY, ON AN UNSECURED server, and then sending it VIA EMAIL to the physician.

PLEASE have the doctor IMMEDIATELY SHUT DOWN THIS WEBSITE or at least the forms, UNINSTALL the formbuilder module, then send notifications to ALL CUSTOMERS that their personal information may have been compromised.

Next, contact a good lawyer, and hope for the best.

[tyman00]

Edit: I guess I am piling on since calguy posted while I was typing my reply. Still valid info though.

#1 - "I believe" and "should" are definitely not going to make you and your client compliant.

#2 - It takes more than just SSL to make a server secure and to protect the visitors information. The SSL/HTTPs is only encrypting the information between the browser and the server. That's it nothing else. Once it's on the server it's back to plain text.

#3 - If the server is not secure someone can still hijack the information before the PDF is generated

#4 - Emailing a PDF is not (repeat: NOT) secure unless you are encrypting the email and/or PDF attachment. It wouldn't be all that difficult for someone to intercept one of those emails and have access to 5 pages of VERY PERSONAL information.

There is a reason for these regulations. If it were my doctor I would leave him in a heart beat because he doesn't care about my privacy and the security of my identity. I would then start implementing various alerts when it comes to my credit because I would be afraid someone got ahold of my information without my permission.

[ascr689]

thanks guys.  lol..

This is why I ask the experts about these things. I do not pretend to know all hipaa law and doctor is aware that... I am learning as i go along here. We have cleared everthing with lawyers. This form submission is not considered medical record. These are not patients of doctor and are just submitting info as to why they want treatment. It might as well be a blog entry. The doctor has no idea what he is going to get in the submission until it gets to him.

As far as the the original issues... I will pay anyone who can help me resolve problems. Thanks

[tyman00]

Going off of your previous posts it would be hard not to think they are sensitive and likely regulated medical records.

On that note we can give you suggestions and you can do what you, the doctor and his lawyer feel comfortable with. However keep in mind if you collect any form of sensitive information you would be doing a terrible disservice to those submitting information regardless of regulation. Now I have to wonder why you would even bother with HTTPS/SSL if it's not really that big of a deal. Again SSL only ensures the data between the browser and the server is encrypted. Anything after that is unencrypted information and you can't guarantee a chain of custody so it all makes the HTTPS an extra effort for nothing.

While some may not care, I personally would choose not to submit any medical information (including history) and have my name tied to it.

Back to your original post... I would definitely check with GoDaddy about the timeouts and see what they say. I tested a Form Builder / Form Browser setup that had 300+ fields and took more than 30 minutes to complete and never had timeout issues. You can also try breaking the form up into multiple pages instead of all on one page.

As far as the HTTPS goes, the SSL stuff in the latest release didn't work out like expected. There are some changes you can make to get it to work (I had to) but I would have to go back and look at what I all changed. If you can hold out for 1.8 this will fix the problem (hopefully once and for all).

[kermit]

Thanks for the reply.

The hosting is from godaddy its not the cheapest shared hosting its on virtual shared i believe and should be hipaa complient? I was thinking that no information is stored on server from database as scripts simply genrate pdf from formbuilder and then discard. could TTL or ini memory need to be increased? any other ideas? I am willing to pay someone to work with me on this and figure it out.

As far as the security i am hoping someone can help me now with a work around or somthing. From reading it seams possible that this can be done but its over my head. (have specified pages HTTPS)

well, i think the chances are high that godaddy is your only problem (for site performance and security).

their shared servers suck for php-driven applications such as a cms. in addition, a usa doctor using godaddy for hosting a site that collects medical records is criminal.

"insurance information" along with "medical, family and social history" are protected records. IANAL, but our company does deal with medial records on a daily basis, as well as the transmission of said records over the internet in a secure manner (e.g. https or vpn directly to the hospitals). we also use good ol' fashioned 'sneakernet'

the only way that the data could stay encrypted while in transit both ways and while it resides on the server, either in memory or on disk, is to collect and encrypt it at the client end. while it is technically possible to do just that (e.g. using gpg implemented in javascript), i do not recommend that workaround as a way to avoid using a proper, secure hosting environment.

good doctors make a ton of money. tell 'em to pony up a reasonable amount to do the job right. going cheap ala godaddy may just get him in legal troubles that will only cost a whole lost more. if he doesn't offer up a budget with the word "thousand" in it somewhere, fire him. if the doctor's lawyers did sign-off on the current web site and its procedures, they should be fired too.

[calguy1000]

The user explicitly mentioned that:
a) they had limited knowledge of javascript and php.  I'm going to make a (cough) small leap and say that extends to things like security, encryption, and *nix server security and administration.
b) they are storing medical history information in a database
c) they are sending medical history information via email
d) they are using a notoriously bad host (you get what you pay for).

I then:
a) I visited what I think to be the website, and it is asking for name, and address and other personal identifying information such as DOB and SSN.
b) verified that the website is running CMSMS and Formbuilder as described.

Therefore,  I consider this to be a 'breach' of personal information. Though it may not be a breach of the HIPAA law (I am not a lawyer, and I'm a canuck it doesn't apply to me), or any other state or federal law it is certainly just WRONG (storing private data on insecure servers, and transmitting it via insecure means).

However, in the interest of professionalism I feel that this issue needs to be dealt with in MINUTES,  not hours and days.  I have therefore sent an email to the user, and also telephoned the company and left a voicemail about a 'potential' leak of private information.  I hope they call me back tomorrow.

Begin rant of opinionated jerk: This is yet another example of why we say that CMSMS is for the 'professional'.  CSS and HTML are just the beginning of what you NEED TO KNOW when developing and maintaining websites for others.

[replytomk3]

The user explicitly mentioned that:
a) they had limited knowledge of javascript and php.  I'm going to make a (cough) small leap and say that extends to things like security, encryption, and *nix server security and administration.
b) they are storing medical history information in a database
c) they are sending medical history information via email
d) they are using a notoriously bad host (you get what you pay for).

I then:
a) I visited what I think to be the website, and it is asking for name, and address and other personal identifying information such as DOB and SSN.
b) verified that the website is running CMSMS and Formbuilder as described.

Therefore,  I consider this to be a 'breach' of personal information. Though it may not be a breach of the HIPAA law (I am not a lawyer, and I'm a canuck it doesn't apply to me), or any other state or federal law it is certainly just WRONG (storing private data on insecure servers, and transmitting it via insecure means).

However, in the interest of professionalism I feel that this issue needs to be dealt with in MINUTES,  not hours and days.   I have therefore sent an email to the user, and also telephoned the company and left a voicemail about a 'potential' leak of private information.  I hope they call me back tomorrow.

Begin rant of opinionated jerk: This is yet another example of why we say that CMSMS is for the 'professional'.  CSS and HTML are just the beginning of what you NEED TO KNOW when developing and maintaining websites for others.

calguy1000, I felt like doing the same thing, but could not locate the website.