Hello! Been a while since I've posted here.

As some of the older members might remember, I did a restructuring and branding of my company, Axe9 Hosting. It's still in the process, but I've run into a rather interesting business proposal from a friend.

He's a doctor in New York, and is co-head of a medical group / think tank of New England doctors.

He's looking for a way to share information and client experiences, as well as move their think-tank online, but have it secure enough for medical information to be transferred.


So far, I'm looking at having a trusted friend of mine to program a custom forum script with tons of security and stuff hard-coded into it. This is probably going to run them around $490 and the monthly for hosting I wont tell.

So, I'm wondering, what kinds of measures should I take in the hardware security of my server?

Another thing I'm worried about, is that up until now, I've been working with non-profit orgs, small business, and personal websites. However, this is in a whole new league. It's a high-paying professional client, with high-paid professional lawyers.

Am I getting in over my head as a smalltime web host? :stan:

So, what kind of legal stuff should I get ready? And should I have them sign contracts and service agreements (making them stay with me for a specified term)

well is patient information going to be stored and shared on this server??
you might want to look over the Hippa laws to understand privacy policies for patients better.

I think keeping information behind a login system where only doctors could gain access and encrypting the information in a dbase is the way to go. also having a hardware firewall and other standard commercial grade security for the server in general is good practice.

[removed the self promotion bits]

well cheers

I haven't technically gotten the client yet, but if/when I do, I'll be sure to look you up.
I have a friend of mine in the UK whose been asked to do it, but depending on what they need, he may need some help, I'll be sure to point him in your direction.

By hippa laws, do you been the Hippocratic oath?

sorry I was typing fast I meant the
HIPAA as in "Health Information Privacy Act" and I forget what the last A stands for

basically it is a national standards to protect the privacy of a personals health or medial information.

their are strict federal guidelines now for what type of medical information about patients can be stroed especially when the internet is involved and how and what type of security should be used.

So it will depend on if the doctors will just be logging in and talking in general terms about a diagnosis or if it will be a place for doctors to speak of specific patients. Once you know that then you can look to see what the federal guildlines are for storing/sharing such information and go from their

Wow. Found a TON of resources on this subject. Thanks a ton for points me in the right direction Jreis!


this
http://aspe.hhs.gov/admnsimp/pl104191.htm
and this
http://a257.g.akamaitech.net/7/257/2422/14mar20010800/edocket.access.gpo.gov/2003/03-3877.htm


Thanks Again!

no problem

any other questions feel free to ask

Hey Axe9,

Just wanted to say HI! :wavey: Been a long time, was glad to see you on the board again. :)

And yes, HIPAA is king on this -- the guidelines you need to follow are those which come with HIPAA. HIPAA has caused every U.S. doctor's office, hospital, clinic and practitioner mountains of money and time and energy :nuts: ... I know it's there for good reason (I'm a patient in the health care system too) but good heavens...... :rolleyes:

Best of luck, I hope this works out well for you!

:) Bailey

Indeed it has! I check back once and a while, but this is my first post/topic in a looong time.... kept the business pluggin away though :)

How's Wisconsin :D

Hey Axe9,

Just wanted to say HI! :wavey: Been a long time, was glad to see you on the board again. :)

And yes, HIPAA is king on this -- the guidelines you need to follow are those which come with HIPAA. HIPAA has caused every U.S. doctor's office, hospital, clinic and practitioner mountains of money and time and energy :nuts: ... I know it's there for good reason (I'm a patient in the health care system too) but good heavens...... :rolleyes:

Best of luck, I hope this works out well for you!

:) Bailey

I just love how they made it so your employer can't even tell your coworkers you are out sick unless you give them express permission.

How's Wisconsin :D

Great! We're s'posed to get 4-6 inches of snow tomorrow. I'm psyched!!! :gthumb: It's our first real snow in 2+ weeks.

I just love how they made it so your employer can't even tell your coworkers you are out sick unless you give them express permission. Ugh... I know, it's ridiculous. We deal with it on every call w/ the ambulance now. Don't get me wrong, I fully understand the reasons behind it and I think the ideology is good, it certainly has its place. But what a PITA! Having to be cryptic in what we do/don't say, who can you talk to and who can't you (because you don't know who it's okay to talk to even within a family!), it's another form for them to sign and another packet for them to carry. :rolleyes:

Then last year my Mom was very sick and couldn't hardly remember her name, and you can well imagine all the nurses and doctors trying to be "careful" in what they could or could not say to me as the only daughter who was overseeing her care! For heavens sake! Thankfully I had healthcare power of attorney for circumstances like that, and fortunately Mom was "with it" enough to assure everyone "It's okay, she's overseeing everything, include her." *sigh* Messy, messy, messy.

I mean, I see and walk both sides, so I understand the intricacies. There's something to be said for old-fashioned respect though too. It's too bad that RESPECT wasn't enough for some people to keep their mouths shut and RESPECT wasn't enough to keep companies from demanding information out of doctors that the companies had no right to. Truly a disappointment that it all had to be regulated by law, y'know?

But by the same token I know of at least one insurance co. that was turned away trying to get my medical records without my approval, so that's pretty cool too. :gthumb:

Heh.

:) Bailey

It seems I shouldn't have much trouble complying, however, it's the doctors I have to worry about spilling the beans on their patients.

Nah, that's their liability, not yours. You just provide the hardware and software. How they use it is up to them. :)

:) Bailey

The company I work for specializes in mission critical data services and is one of the largest developers of Electronic Medical Record (emr) Software. Just remember that if something does go wrong they *will* pass the blame on to you. We control every aspect of our network, from developing hardware to the physical fiber optic link to the hospital we serve. No 3rd party hardware or software touches the network.

Physical security is also extremely important. I assume you have your own datacenter, make sure you have armed security on staff 24/7. We have had 3 attempted break-ins specifically targeting medical information. Why steal medical information? Besides it being a goldmine for ID Theft who knows. But it is important to be open about the security measures you are taking; patients don’t like the ideal of EMR make sure they know who has their information and the lengths you go to protect it.

I’m surprised that doctor wants to develop his own platform when there are time tested systems out their that do just what he wants. You would probably be better off hosting a commercial application or reselling critical data services than hosting custom emr software to take some of the liability of your shoulders.

But the bottom line is:
1. Doctors are not very computer savvy, and very venerable to phishing attacks. The chances of a security breach is high and even if you were not the cause you will still hold the blame.

2. Hosting critical data services can be very profitable but very risky. One incident can destroy your entire reputation.

PM me if you want to know more.


Shout out to Door County Wisconson, I need to see more snow out side my window :)

>>>Nah, that's their liability, not yours. You just provide the hardware and software. How they use it is up to them.<<<

this is a little inaccurate. you being the provider of the data space you are also somewhat responsible if it came down to a law suit. the thing with HIPAA (healtchare information portibility and acountability act) and the way it is written a law suit could involve EVERYBODY that is involved with the infraction. so if the information were to get out and something were to happen because of that info getting out.. there could be a suit against everyone involved in the storage and transport of that info. if your equipment was used to store that info and you advertised your equipment as being secure to hipaa specs then you ARE liable. hipaa involves every part of the transport of info.

Sean

calimedic911 is on the right track....

HIPAA will redefine the way you operate a datacenter from the ground up. From the physical infrastructure, policies and procedures that you MUST have in writing and MUST adhere to, from egress, to security, to log auditing, to encryption, destruction of media, it just doesn't stop. We host a online dental practice, an online cardiology practice and just took on a large emerging player in the healthcare field. To state that it's a PITA is an understatement, and pricing it becomes even more fun.

-Roger

calimedic911 is on the right track....

HIPAA will redefine the way you operate a datacenter from the ground up. From the physical infrastructure, policies and procedures that you MUST have in writing and MUST adhere to, from egress, to security, to log auditing, to encryption, destruction of media, it just doesn't stop. We host a online dental practice, an online cardiology practice and just took on a large emerging player in the healthcare field. To state that it's a PITA is an understatement, and pricing it becomes even more fun.

-Roger

Defiantly can't forget your HIPPA policy manual. It will become your new holy book. Medical professionals tend to get ‘personal’ and by personal I mean calling every 20 minutes if some piece of technology is not working, regardless if you have anything to do with it.

If this group does not have an IT department, you are now It :)

Which brings on the advice- make sure they are paying VERY well since this is going to cost you a lot of time and effort, not to mention the potential risks.

My initial quote to them was $60/month but it looks like that's gonna be much higher...

My initial quote to them was $60/month but it looks like that's gonna be much higher...

That might cover the paper bill :-)

Seriously, you really need to find out from them if it has to be HIPAA compliant. That's going to be the driving factor. If so, you're talking a minimum of a dedicated server natted behind a firewall with full authentication and logging turned on for all functions. That just gets you started.

If it gives you an indication, One environment here .. front end firewall, redundant F5 balancers, two webs, two Active Directory servers, two DB's in active/passive cluster, and a back end firewall for VPN. RSA fobs for admins. All HIPAA procedures followed, (438 page policy manual!) including destruction of outdated backup media via degauss and destroy. $9300 month. And we were the cheapest of 5 bidders when we bid the job. It's fully managed, we do all but the ASPX code.

-Roger

Hello,

well axe9 $60 is low I mean most sell a managed dedicated server for more. Which depending on what your client needs are it appears you will need to set him up with a dedicated server with the spec's above. Then you have to factor in the cost of buying a pre-made or custom built software for your client which could cost in the thousands. So $60 a month would not even cover the cost of the dedicated server (based on the average cost of dedicated servers these days)

you may want to fulling outline what your client will be doing in this site and what information will be shared/spoken about and posted on this site. then from their you will be able to get some better understanding of what the costs for software would be.

cheers

My initial quote to them was $60/month but it looks like that's gonna be much higher...


You weren't even planning on putting them on a dedicated server? EEK!

I think you may be over your head on this one. For a project like this, think about the kind of security an eCommerce site needs...and then increase it by at least 10 fold. This is the kind of project that you charge BIG money for and make sure you have every aspect of security and privacy covered. I can't imagine quoting less than $5000 a month for this - considering everything that's going to need to be done, and if custom software is being written...there should be a hefty setup fee as well, not less than $5000 as well.

--Tina

Yes, they have the money, but I'm not getting where the $5000/month is coming from, nor $5000 for the software.

This isn't going to be storing medical documents or anything. It's just a place for doctors to collaborate on diagnosis, ask advice, etc. It's not like the medical charts and whatnot will be on my sever.

For the software, I've been quoted as needing around $600-$800 depending on exact needs. This isn't going to be some complicated CMS or anything, just a simple message board, with a lot of not-so-simple encryption. Including SSL certs and stuff like that I'm thinking about issuing a $1000 setup fee. I'm still not sure of the server requirements I'll need, so I can't give them a quote just yet on what a monthly cost would be.

Right now, most of the medical group is on vacation (Sadly, wish I got a 4 week vacation...) so I can't get the specifics.

However, I understand that security is paramount, but where is $5000 a month coming from? A $300/mo dedicated and $140/mo management should be more then sufficient.

$5000/month is hardly economical for a think-tank type website, wouldn’t you agree?

-Benjamin

I misunderstood. My apologies. I understood that it *would* contain patient information - if not records, than at least case histories with some identifiable information. Your budget actually sounds about right, except that custom software is always expensive and if you have a guy that's doing it for around $500...you've found quite the bargain. :)

--Tina

Indeed I have. He's got awesome prices, and knows his stuff. Been working with him for a few years, so I think he may give me a little discount :)

One thing that I'm going to stress to the doctors, that they should already know and practice, is that I will NOT allow them to share personally identifiable information about their patients.

You may want to setup the system where only the docors can approve membership access so that they can also be assured that only their fellow practitioners are in their posting, etc

cheers
jreis

$5000/month is hardly economical for a think-tank type website, wouldn’t you agree?


Economical is in the eye of the beholder, just like beauty. :-)

Sounds like you really need to get a firm hold on what their usage of the site is. If there is any identifiable patient information whatsoever then you're wading into HIPAA, and $5k is a drop in the bucket when you start down that path. At the minimum as a "just in case" I'd be factoring in a good liability insurance policy. I know that we carry a $2mil bond as a safety net.. and SSL isn't your only line of defense, you need firewalls also.

I'm not trying to spook you off of this, but from someone that's there in the midst of this also, when you trifle with HIPAA you're subject to regulatory oversight and your solution should be reviewed and certified so that it doesn't become a liability to your company.

Because if you get caught with your pants down, and there's always someone better than you or I out there that can do it, you are not just liable to the regulatory agencies involved, but every patient and their bottom feeding attorney that if nothing else sees a quick buck. Doctors are a prime target, and your company would be nothing more than an extension to that.

-Roger

Just in case, I'm looking into a dedicated solution using 128bit encryption.

Man, I hate that all the people I need to talk to are all on vacation!

Defiantly can't forget your HIPPA policy manual. It will become your new holy book
I was looking into that, and YIKES! $300 for a BOOK!?!?!