Questions

remote access to file store

Tags:
+
0 Votes
Locked

remote access to file store

brian
I have a client who is working with clinical data, and it will be my job to provide statistical analysis of that data as it is generated. We are talking potentially 300GB of data to be analyzed. The issue is that the institution's legal department prefer the data never leave the premises. Obviously that makes things difficult, and I propose to put local storage in place at their site with secure remote access. I would need to be able to NFS or similar mount this to my server. Ideally data is transmitted encrypted. Any idea how to solve this problem at a REASONABLE cost?
  • +
    0 Votes
    ---TK---

    Something like this http://www.newegg.com/Product/Product.aspx?Item=N82E16822122010
    it this specific model is diskless, so you will need to throw some drives in... it supports http/s and FTP/s...

    Or search around on Newegg.com keyword NAS and look at the selection... HP and Dell also have NAS devices, but I have not looked at their options.

    +
    0 Votes
    OH Smeg

    Depending on any Compliencing Issues involved here. When it comes to Patient Records most Government Rules forbid the removal of Confidential Data from the Premises for others to access it and do whatever.

    The only places who have authority to view Patient Records are the Doctors and Medical Professionals who are involved in Patient Treatment and the Required Government Agencies & Health Insurance Organizations who require this information. Even then with all of those who can access this Data there are very strict controls in place to prevent them misusing this data.

    You may be required to work in that office when it comes to accessing the actual Data regarding Patients.

    If you transfer it off site onto one of your systems and there is a Security breach you will be responsible for that breach and be the one sued for allowing it to happen and even if the breach doesn't happen your end the legal Department will argue and most likely successfully transfer the blame onto you for any Security breach their end and leave you legally responsible for that breach. Here that means both Jail Time and the ability of affected Patients to Sue you personally as well as your company.

    Personally i would look into the Legal Implications and then refuse the job. You need to speak to your Legal People not theirs as they will only tell you what they want done but not what they will do to you if you do not comply with their requirements.

    Col

    +
    0 Votes
    brian

    Prior to access, the data are deidentified. So I do not have access to actual patient records (no names), only their clinical information and the genetic data we are generating. So each patient is a number that I cannot trace back to a name. The lab in theory can, but they do not, as per their institutionally approved protocol. I was approved to be on the protocol, so that's not the issue. It's someone in legal/compliance who has no clue and inserted themselves into the process. It's standard practice to deidentify patient records for use in research.

    +
    0 Votes
    robo_dev

    For starters, implement an industry standard IPSEC VPN solution, like a Cisco ASA box. A simple ASA 5-series Cisco box will run around $1,000. Not cheap, but it is rock-solid reliable, and very secure.

    You could save a few $$$ by going non-Cisco like a Nortel ($700-ish) or even a Netgear ($300-ish).

    Nobody ever got fired for buying Cisco....

    http://www.cisco.com/en/US/products/ps5743/Products_Sub_Category_Home.html

    With the Cisco VPN you can use RSA SecurID for two-factor authentication (more security costs more money).

    Once you have a IPSEC VPN in place, some would argue that you don't need additional security, and any data access method would do: Terminal Services, VNC, etc.

    A lower cost solution would be GoToMyPC. From a security perspective, this is very good. It uses AES256 encryption, very good hashing algorithms, and you can use RSA SecurID for authentication if you like. GTMPC is a hosted solution, such that the nuts-and-bolts of the security configuration cannot be messed up or mis-configured.

  • +
    0 Votes
    ---TK---

    Something like this http://www.newegg.com/Product/Product.aspx?Item=N82E16822122010
    it this specific model is diskless, so you will need to throw some drives in... it supports http/s and FTP/s...

    Or search around on Newegg.com keyword NAS and look at the selection... HP and Dell also have NAS devices, but I have not looked at their options.

    +
    0 Votes
    OH Smeg

    Depending on any Compliencing Issues involved here. When it comes to Patient Records most Government Rules forbid the removal of Confidential Data from the Premises for others to access it and do whatever.

    The only places who have authority to view Patient Records are the Doctors and Medical Professionals who are involved in Patient Treatment and the Required Government Agencies & Health Insurance Organizations who require this information. Even then with all of those who can access this Data there are very strict controls in place to prevent them misusing this data.

    You may be required to work in that office when it comes to accessing the actual Data regarding Patients.

    If you transfer it off site onto one of your systems and there is a Security breach you will be responsible for that breach and be the one sued for allowing it to happen and even if the breach doesn't happen your end the legal Department will argue and most likely successfully transfer the blame onto you for any Security breach their end and leave you legally responsible for that breach. Here that means both Jail Time and the ability of affected Patients to Sue you personally as well as your company.

    Personally i would look into the Legal Implications and then refuse the job. You need to speak to your Legal People not theirs as they will only tell you what they want done but not what they will do to you if you do not comply with their requirements.

    Col

    +
    0 Votes
    brian

    Prior to access, the data are deidentified. So I do not have access to actual patient records (no names), only their clinical information and the genetic data we are generating. So each patient is a number that I cannot trace back to a name. The lab in theory can, but they do not, as per their institutionally approved protocol. I was approved to be on the protocol, so that's not the issue. It's someone in legal/compliance who has no clue and inserted themselves into the process. It's standard practice to deidentify patient records for use in research.

    +
    0 Votes
    robo_dev

    For starters, implement an industry standard IPSEC VPN solution, like a Cisco ASA box. A simple ASA 5-series Cisco box will run around $1,000. Not cheap, but it is rock-solid reliable, and very secure.

    You could save a few $$$ by going non-Cisco like a Nortel ($700-ish) or even a Netgear ($300-ish).

    Nobody ever got fired for buying Cisco....

    http://www.cisco.com/en/US/products/ps5743/Products_Sub_Category_Home.html

    With the Cisco VPN you can use RSA SecurID for two-factor authentication (more security costs more money).

    Once you have a IPSEC VPN in place, some would argue that you don't need additional security, and any data access method would do: Terminal Services, VNC, etc.

    A lower cost solution would be GoToMyPC. From a security perspective, this is very good. It uses AES256 encryption, very good hashing algorithms, and you can use RSA SecurID for authentication if you like. GTMPC is a hosted solution, such that the nuts-and-bolts of the security configuration cannot be messed up or mis-configured.