I think the requirements are fairly nebulous at best and mostly aimed at documenting your practices for access, and (god-forbid) breach/compromise. I think that you are covered if you cover these things in you operating procedures, but that is just from my own cursory research.
I'm mostly curious about the web stack and technical implementation:
* Encryption in transit (SSL) and at rest (whole-database encryption versus field-specific encryption)
* Select auditing (and performance thereof)
* Open-source stack?
I'm a pathologist so I'm primarily interested in interfacing with existing LIS (lab info systems). I'd like to pursue efficiency solutions for the laboratory (like dashboards, specimen tracking, lab ordering, intra-lab communication).
Of course, it's all moot with respect to my day-job because I work for the military and they mostly piss on open-source (MS all the way!) with no real path for putting applications on NIPRnet (yes even at the hospitals) without enterprise-level support and multi-level security audit/approval. Which explains why in the age of digital pathology, we are stuck entering pathology information over ssh (terminal emulation) into a MUMPS system.
At the top, they guys with stars who sign off the contracts, yes. On the other hand, I was just on the phone yesterday with a Navy cryptographer who is working with Google on NIST certification of Mozilla's Network Security System (NSS) for FIPS 140-2 compliance. I think getting the network changed will ultimately come down to smart people like yourself continuing to beat the drum.
BTW, I'm military too! I know CHCS and AHLTA all too well. email me: niels.olson at gmail
I'm mostly curious about the web stack and technical implementation:
* Encryption in transit (SSL) and at rest (whole-database encryption versus field-specific encryption)
* Select auditing (and performance thereof)
* Open-source stack?
I'm a pathologist so I'm primarily interested in interfacing with existing LIS (lab info systems). I'd like to pursue efficiency solutions for the laboratory (like dashboards, specimen tracking, lab ordering, intra-lab communication).
Of course, it's all moot with respect to my day-job because I work for the military and they mostly piss on open-source (MS all the way!) with no real path for putting applications on NIPRnet (yes even at the hospitals) without enterprise-level support and multi-level security audit/approval. Which explains why in the age of digital pathology, we are stuck entering pathology information over ssh (terminal emulation) into a MUMPS system.