[Deestan]

Professionals.

Hire an expert.

If you can't answer these questions yourself (which is fine - it's specialized knowledge separate from the skillset needed for building a useful application), you are lacking critical competence for coding anything handling health information.

The security minefield is much much bigger than the login page.

[nothrabannosir]

I wanted to disagree; how did those professionals become pros? Learning by doing , most of them , after all.

Then I read the last paragraph of the question.

Please follow this guy’s advice. As someone whose medical data you might one day be handling: please get someone who does this well.

Imagine you (or a family member) ever end up sick; your medical data ends up on Pastebin, and the arstechnica article about it surfaces a forum post from the engineer responsible: “hey guys howto auth?”. Honestly: how would you feel?

[wenc]

> how did those professionals become pros? Learning by doing, most of them, after all.

I agree with your conclusion (especially in a comment down the thread about nurses), and just wanted to add to something you said, because I often come across this sentiment that learning by doing is how professionals become what they are, and wanted to play with that idea. In tech, this sentiment is often reinforced by stories like Elon Musk learning how to build cars and rockets by reading books (which he did, but the truth is more that he surrounded himself with trained professionals who could design and execute). In my mind, to be a trained professional requires:

* conscious practice over a long period of time (in order to see all the variations)

* correct feedback from work, peers or masters (community)

* access to the right tooling and body of knowledge. (guilds, journals, trade secrets)

In many areas of programming, these are achievable by a competent individual working alone, but sometimes these factors aren't there but appear to be, which can lead to false and misleading knowledge. In my own area of numerical mathematics, sometimes newbies try to roll their own linear solver (a seemingly easy exercise), not realizing the full body of research and knowledge there is behind handling corner cases. Also, there are myriad tricks-of-the-trade (guild secrets) that are really hard to learn from just reading code -- but that one can learn from osmosis/word of mouth if one works in a lab or research group. This is why it takes years of doctoral and postdoctoral studies to churn out a good numerical analyst.

The CS analogy would be someone rolling their own database from scratch. In these endeavors, the baseline of knowledge to get started is very low, but the real-world knowledge required to make the product robust needs to be built-up over time and by many competent people (through collaborations/teams/community).

I just wonder if security/auth/crypto products fall into these complexity categories, and perhaps it might not be easy--or indeed possible--to become a professional as an individual (without the right conditions in place), and that it might make sense to "stand on the shoulders of giants" as it were, which was your original point.

[inersha]

Classic hacker news. Ask for technical advice, get called incompetent.

[eximius]

If they asked a bunch of doctors how anesthesia worked, they were just about to go perform surgery at home, you'd expect the doctors to warn that it was a bad idea, no?

[inersha]

I suppose there may be a distinction between asking "how does anaesthesia work?" and "should I perform surgery at home?".

[nothrabannosir]

"A is to B as X is to Y", compares A and X, not A and B. It puts A in the context of B, as X is in the context of Y.

the comparison is between "how does anaesthesia work?" (A) and "how does auth work?" (X), relative to "about to perform surgery at home" (B) and "about to implement a service containing medical information" (Y).

The point is: he's about to do something big, and is asking a basic question. The real problem is not the basic question (auth) but the context he's doing it in.

If a nurse in training, in a classroom setting, asked about anaesthesia, it'd be fine. If they're a doctor, about to operate on a live patient, it's different.

[inersha]

I like the analogy in your final paragraph. I see hacker news as the nurse in the classroom setting.

[closeparen]

Very few people in the field are competent to design security for health systems. No shame in being like most professional software developers. Immense shame in causing a life-altering breach because you couldn’t recognize the limits of your expertise.

[marcosdumay]

I would say you are assuming a bit too much (but just a bit).

There isn't enough information on the question to tell wether the OP is a complete novice with no idea of the minefield he is getting it, or if he is somebody competent that wants a list of current practices to start further research.

[nates]

<3 thank you. I have done a lot of research, and yes my healthcare knowledge is somewhat lacking. However my goal was to ask an open ended question to see what others are doing. Research is always key. I also do plan on hiring those with experience in the space as well

[fiatjaf]

How do you know what expert is worth hiring?

[watty]

Come on now, security isn't easy but it's not rocket science. If someone is competent enough to be developing applications they're certainly competent enough to do security correctly by researching first.