[closeparen]

Healthcare is a dangerous sector for a security novice. Please make sure you are familiar with HIPAA [0], including your obligations when handling health information and the nature of possible sanctions. Handling health data at all is risky. Sharing it with partners is something you probably shouldn't even consider before you can afford a serious legal team.

OpenID is a mechanism for one website to assert a user's identity to another website. OAuth is a way to let a user delegate access to some of their data on one site to another site. Neither have any particular affinity with the healthcare space, and they are not things you sprinkle on for extra security.

[0] https://www.hhs.gov/hipaa/for-professionals/security/index.h...

[noir_lord]

I've had an idea for a product I've put on hold for two years because it involves medical data and I just don't know if I can secure it to a level I'd be happy with from a moral point of view.

That's before the law gets involved as well.

[FabioFleitas]

Yeah... HIPAA is definitely tough. I'd check out https://www.aptible.com if you haven't already. It will at least help out with the infrastructure side of things. Although it does seem like Heroku is offering some services that help too (https://blog.heroku.com/announcing-heroku-shield).

It's definitely not enough alone, but at least gets you going on the security & compliance aspects.

[noir_lord]

I'm in the UK and our rules are different, we don't have anything directly equivalent to HIPAA (I suspect because we don't currently have the huge number of private hospitals/doctors the US has) in fact even finding out the exact standards you'd have to comply with for the UK is a challenge.

GDPR is good in that regard as the standards are high and apply to more than just electronic storage/interchange.

[DanBC]

People have to follow the Data Protection Act.

Are these useful?

Here's the Code of Practice for NHS organisations and staff: https://www.gov.uk/government/publications/confidentiality-n...

Here's the other code of practice for everyone working with NHS data: https://digital.nhs.uk/data-and-information/looking-after-in...

And here's the guidance about when to share if it's needed: https://digital.nhs.uk/data-and-information/looking-after-in...

[nates]

Makes sense. I am sure I misworded, and got turned around a bit. Much of the documentation with fhir talks about oidc. Which seems to be in place if you are doing much more sharing of your data. These things as you mention are probably beyond what is necessary initially and could be added at a further date. However using a service or an open source project that can allow to scale to that size is an interesting proposition.

[extrapickles]

HIPAA applies to all health data regardless of what you do with it. It’s one of the few things similar to ITAR that you cannot put off for later. The fines for not complying can be staggering ($50k-$1.5m).

I highly recommend talking to someone who knows HIPAA well.

[aeleos]

If you are handling any kind of medical data about people, then you cannot think about security at a future date and your life will be difficult from the start.

[nates]

Did I say security? I said sharing at a future date.