Which is safer: University IT or cloud-based contact hosting?
October 20, 2011 4:10 AM Subscribe
Which hosted system is likely to be more secure: A custom-coded database with a web-based front-end coded by an independent coder for $10k and hosted and maintained by a major university, or a small cloud-based provider with several clients who hosts contact data and whose system is set up to accept credit card payments and store other financial information?
I realize that the real answer is likely to be that individual coding practices and security assessments vary depending on the individuals involved, and that answering this in the abstract is somewhat of an academic exercise. And to be really sure, you would need to code audits and penetration testing.
In the contemplated scenario, we would be collecting and hosting HIPAA-protected personal data for research purposes. Solution #1 is an out-of-the-box, cloud-based solution used by many nonprofits for managing their contact lists and tracking and processing donations. Solution #1 accepts credit card donations online and stores some of this information, so it is presumably PCI DSS compliant (we are verfiying). They have numerous clients and are fairly well-known in the nonprofit space.
Solution #2 is a custom-built SQL database, which we have a bid for $10k by a solo developer. The system would be hosted by a major university, but it is unclear to me what type of code review the Unversity's internal IT protocols require before running the custom-coded app. The University's research systems and existing servers are HIPAA HITECH compliant. Presumably as part of the hosting the University would patch the servers, but we'd have to pay separately for maintenance of the custom code.
My gut reaction was that the commercial shop (which is presumably PCI DSS compliant) is inherently more secure than the independent coder, because the University would be maintaining and hosting someone else's code and that the commercial shop is more likely to spot vulnerabilities in their own code base.
But when I was trying to explain my position to laypeople with no experience with security issues, they thought I was crazy and asserted that a University-vetted and maintained system would be inherently more secure than a commercial setup, because the University, by the nature of its business, had more experience with security.
Am I right? What other security issues should I be aware of?
I realize that the real answer is likely to be that individual coding practices and security assessments vary depending on the individuals involved, and that answering this in the abstract is somewhat of an academic exercise. And to be really sure, you would need to code audits and penetration testing.
In the contemplated scenario, we would be collecting and hosting HIPAA-protected personal data for research purposes. Solution #1 is an out-of-the-box, cloud-based solution used by many nonprofits for managing their contact lists and tracking and processing donations. Solution #1 accepts credit card donations online and stores some of this information, so it is presumably PCI DSS compliant (we are verfiying). They have numerous clients and are fairly well-known in the nonprofit space.
Solution #2 is a custom-built SQL database, which we have a bid for $10k by a solo developer. The system would be hosted by a major university, but it is unclear to me what type of code review the Unversity's internal IT protocols require before running the custom-coded app. The University's research systems and existing servers are HIPAA HITECH compliant. Presumably as part of the hosting the University would patch the servers, but we'd have to pay separately for maintenance of the custom code.
My gut reaction was that the commercial shop (which is presumably PCI DSS compliant) is inherently more secure than the independent coder, because the University would be maintaining and hosting someone else's code and that the commercial shop is more likely to spot vulnerabilities in their own code base.
But when I was trying to explain my position to laypeople with no experience with security issues, they thought I was crazy and asserted that a University-vetted and maintained system would be inherently more secure than a commercial setup, because the University, by the nature of its business, had more experience with security.
Am I right? What other security issues should I be aware of?
I think that, in practice, your attempt to make the decision based on which is safer is a moot point. One of the requirements of HIPAA compliance is that in order for your project to be HIPAA compliant you have to get signed statements from your vendors that their products are HIPAA compliant. You can make that a requirement of your contract with the solo developer and, presumably, your HIPAA compliant University host. However, a commercial entity that is not currently providing services to the medical industry is very very unlikely to be able to supply you with a HIPAA compliance statement. While their product may well be more technically secure that whatever you're going to get from your solo developer, they probably have not already done a HIPAA audit, and even if you convinced them to do one, giving you a HIPAA compliance statement is likely to trigger a significant increase in their insurance costs (one of the reasons being a medical vendor is an expensive proposition).
posted by RichardP at 4:38 AM on October 20, 2011 [1 favorite]
posted by RichardP at 4:38 AM on October 20, 2011 [1 favorite]
Your instincts are absolutely correct.
QuantumMeruit: "a University-vetted and maintained system"
Vetted I understand, but do the other stakeholders really expect University staff to maintain an outside vendor's code? Can they articulate an actual plan for this?
posted by mkultra at 5:17 AM on October 20, 2011 [2 favorites]
QuantumMeruit: "a University-vetted and maintained system"
Vetted I understand, but do the other stakeholders really expect University staff to maintain an outside vendor's code? Can they articulate an actual plan for this?
posted by mkultra at 5:17 AM on October 20, 2011 [2 favorites]
I think you have a catch-22. The commercial solution will probably be more "secure" in that it will have industry standards and HIPAA compliance and all that jazz. The custom site will be more secure because it is the only one of its kind and be secure through obscurity, in addition to the actual security implemented. If there is a community of people looking to get into medical records in general, then your site will probably not be on their radar.
So if the metric is "which gets broken into first", I'd bet on the custom site being more secure. But that's probably not the metric. In addition to security, you need accountability. As such, I would have to choose the commercial solution.
(Unless the custom site is meant to be a pilot for larger things. If that is the focus, then I think it's a coinflip.)
posted by gjc at 5:42 AM on October 20, 2011
So if the metric is "which gets broken into first", I'd bet on the custom site being more secure. But that's probably not the metric. In addition to security, you need accountability. As such, I would have to choose the commercial solution.
(Unless the custom site is meant to be a pilot for larger things. If that is the focus, then I think it's a coinflip.)
posted by gjc at 5:42 AM on October 20, 2011
Solution #1 is an out-of-the-box, cloud-based solution used by many nonprofits for managing their contact lists and tracking and processing donations. Solution #1 accepts credit card donations online and stores some of this information, so it is presumably PCI DSS compliant (we are verfiying).
Take into account that the easiest way to store credit card information in a PCI DSS compliant way is to pass the CC info to a card processing company to store on your behalf and storing only a reference back into your processor's database. In other words: best way to store CC number is not to store it. So compliance with PCI DSS doesn't necessarily imply that their whole system is secure.
posted by atrazine at 5:45 AM on October 20, 2011 [1 favorite]
Take into account that the easiest way to store credit card information in a PCI DSS compliant way is to pass the CC info to a card processing company to store on your behalf and storing only a reference back into your processor's database. In other words: best way to store CC number is not to store it. So compliance with PCI DSS doesn't necessarily imply that their whole system is secure.
posted by atrazine at 5:45 AM on October 20, 2011 [1 favorite]
The bureaucracy alone is enough to stay well away from University-run servers. That's assuming that you'd ever be able to get away with it - judging from my experiences, you don't have a snowballs chance in hell of getting the support you need.
If anyone has convinced you that it's possible, then a used car lot is missing a salesperson..
posted by Yowser at 5:54 AM on October 20, 2011
If anyone has convinced you that it's possible, then a used car lot is missing a salesperson..
posted by Yowser at 5:54 AM on October 20, 2011
The answer is: who can produce documentation of a third party audit? Your goal in this situation is not to secure the data -- you can't because you aren't adminning the infrastructure. Your goal is to minimize your risk and exposure if the vendor screws up. A third party audit is the most defensible method of supporting a decision.
posted by bfranklin at 5:58 AM on October 20, 2011
posted by bfranklin at 5:58 AM on October 20, 2011
chengjih and RichardP have it. I symapthize with your instincts, but in your case there are specific standards you have to adhere to. Unless your commercial vendor is already familiar with these requirements, they may need to do a pretty robust audit of their system. There are a couple issues you could run into. First, this audit would take time. Is it worth the delay? Second, if the vendor's audit reveals that they are not compliant with HIPAA technical requirements, are they willing to change their infrastructure to comply? Or will they just drop you? If they are willing to change, can they do it quickly enough for your project timeline? Finally, if they overlook some deficiencies (or find & ignore them) and give you a document that claims they are HIPAA compliant, are you still liable if a vulnerability is found? You'll need a lawyer for that.
Honestly, this isn't just a technical issue, this is a legal issue. So as much as I like it when technical considerations trump all others, there are times when legal considerations are of equal or greater importance than technical. This is one of those times.
Something else you need to consider is whether your independent coder understands HIPAA requirements. Will the university audit the system to ensure compliance? Also, if the developer doesn't understand the requirements and you lean on the university audit, that's a lot of back-and-forth between the developer and the auditors to get it right.
This isn't a be-all end-all resource, but it'll get you started: HHS HIPAA Security Series - Security Standards: Technical Safeguards. [Warning: PDF]
Expanding on atrazine: I'm not an expert, but I believe PCI DSS requirements and HIPAA requirements are substantially different. There is probably overlap, but PCI DSS compliance != "more secure for all uses."
posted by Tehhund at 6:00 AM on October 20, 2011 [1 favorite]
Honestly, this isn't just a technical issue, this is a legal issue. So as much as I like it when technical considerations trump all others, there are times when legal considerations are of equal or greater importance than technical. This is one of those times.
Something else you need to consider is whether your independent coder understands HIPAA requirements. Will the university audit the system to ensure compliance? Also, if the developer doesn't understand the requirements and you lean on the university audit, that's a lot of back-and-forth between the developer and the auditors to get it right.
This isn't a be-all end-all resource, but it'll get you started: HHS HIPAA Security Series - Security Standards: Technical Safeguards. [Warning: PDF]
Expanding on atrazine: I'm not an expert, but I believe PCI DSS requirements and HIPAA requirements are substantially different. There is probably overlap, but PCI DSS compliance != "more secure for all uses."
posted by Tehhund at 6:00 AM on October 20, 2011 [1 favorite]
But when I was trying to explain my position to laypeople with no experience with security issues, they thought I was crazy and asserted that a University-vetted and maintained system would be inherently more secure than a commercial setup, because the University, by the nature of its business, had more experience with security.
In addition to the points others have raised, another concern, in terms of security with outside vendors is "are they and their product going to be around?".
So, assume you found a HIPAA compliant vendor, and next year they get sold to another company that is not HIPAA compliant. Or they decide that hosting HIPAA compliant data doesn't align with their corporate goals and so the product will be discontinued effective in 30 days.
Also, when you keep your data in house, you have total control over who and how that data is accessed. When you ship it off to an outside vendor, you lose that control.
posted by Pogo_Fuzzybutt at 6:20 AM on October 20, 2011 [1 favorite]
In addition to the points others have raised, another concern, in terms of security with outside vendors is "are they and their product going to be around?".
So, assume you found a HIPAA compliant vendor, and next year they get sold to another company that is not HIPAA compliant. Or they decide that hosting HIPAA compliant data doesn't align with their corporate goals and so the product will be discontinued effective in 30 days.
Also, when you keep your data in house, you have total control over who and how that data is accessed. When you ship it off to an outside vendor, you lose that control.
posted by Pogo_Fuzzybutt at 6:20 AM on October 20, 2011 [1 favorite]
You're looking at this the wrong way. The question isn't which one is more secure, it's which one will accept material liability for security breaches or failures.
posted by mhoye at 6:38 AM on October 20, 2011 [4 favorites]
posted by mhoye at 6:38 AM on October 20, 2011 [4 favorites]
Reading your question again, I realized your commercial solution involves off-site hosting. That's tricky policy waters.
Have you spoken directly with someone in IT about this at all? If not, I think a lot could be gained from a conversation with someone in charge over there- you're probably not the first person to have come across this issue. I guarantee he's got a story about some grad student who used SurveyMonkey to collect something similar. Ideally, they'll be able to help you pick a vendor, or at least give you guidance about vetting a contractor.
posted by mkultra at 7:05 AM on October 20, 2011
Have you spoken directly with someone in IT about this at all? If not, I think a lot could be gained from a conversation with someone in charge over there- you're probably not the first person to have come across this issue. I guarantee he's got a story about some grad student who used SurveyMonkey to collect something similar. Ideally, they'll be able to help you pick a vendor, or at least give you guidance about vetting a contractor.
posted by mkultra at 7:05 AM on October 20, 2011
Pogo_Fuzzybutt makes a valid point, and I'm going to make the opposite point. Suppose you have a custom-coded website that is secure against all know exploits. And then a year later, new exploits are found. You A) need to learn that you're vulnerable; and B) then need to track down your developer and have him re-harden the code. I can assure you from direct experience that independent developers aren't always that enthusiastic about re-visiting projects they thought they had put to bed. The cloud-based service will be more strongly motivated (or I should just say "motivated") to stay informed about vulnerabilities in their platform and fix them.
posted by adamrice at 7:34 AM on October 20, 2011
posted by adamrice at 7:34 AM on October 20, 2011
mhoye said what I came here to say.
I would actually go the University route, and inside that I would actually have your internal IT Dept do it. If you don't have a WebDev group (really?) then make sure the programmer that you hire is vetted by your IT Dept before he's signed to a contract. You want to be sure that the framework and language that it is coded in follows the knowledge base of your IT Dept. Aside from that key condition I would be more afraid of any breach in the future, or basic upgrade suddenly exposing all your financial info.
posted by zombieApoc at 8:07 AM on October 20, 2011
I would actually go the University route, and inside that I would actually have your internal IT Dept do it. If you don't have a WebDev group (really?) then make sure the programmer that you hire is vetted by your IT Dept before he's signed to a contract. You want to be sure that the framework and language that it is coded in follows the knowledge base of your IT Dept. Aside from that key condition I would be more afraid of any breach in the future, or basic upgrade suddenly exposing all your financial info.
posted by zombieApoc at 8:07 AM on October 20, 2011
Response by poster: Just to make it clear, it's an outside non-profit, very small, with a 5 member staff and no real IT department. The software coder would be contracted, the university option or the cloud option would be contracted for hosting and IT maintenance.
posted by QuantumMeruit at 11:36 AM on October 21, 2011
posted by QuantumMeruit at 11:36 AM on October 21, 2011
This thread is closed to new comments.
posted by chengjih at 4:28 AM on October 20, 2011 [1 favorite]