[ic] Encryption not needed?

Paul Vinciguerra pvinci at vinciguerra.com
Wed Dec 17 23:07:11 EST 2003


On Wed, 17 Dec 2003 18:38:28 -0000, Kevin Walsh wrote
> > Installed Interchange 4.8.7 several weeks ago
> >
> Tut tut - you should have started with 4.9.9 to ease the migration to
> 
> 5.0.0 and to make use of all of the wonderful facilities you're missing
> out on. :-)
> 
> >
> > and finished redesigning the
> > user interface (using the foundation demo); templates, pages, databases,
> > etc. The site was built for a customer who sells supplies to hospitals,
> > hmos, etc. Originally it was meant to be open to the general public
> > however things have changed (who could have guessed) and the site will be
> > accessed via password only by one of their clients that has several dozen
> > "centers" that supply their own customers throughout the US. Each
> > "center" will username/password access. There will be no payments or
> > payment information given since purchases will be billed as a "AR"
> > account. Encryption isn't necessary (or is it?). After the "center"
> > employee (customer) logs in, all the shipping and account information
> > will be pre-populated in the data/forms displayed on the pages, though
> > not changeable/editable (by the "center" employee). The Order Number will
> > be formatted to include the date,time,and "center" code, i.e. Order
> > Number: 12160314-539. 
> > 
> > The newbie questions are as follows:
> > 
> > 1. Since encryption isn't needed, is there simple way to by-pass the
> > security-specific functions? 
> > 2. Can I reformat the order number as specified?
> > 3. How do I set the "demo" site live without encryption enabled?
> > 
> When you say "encryption", I'll assuming you're talking about PGP/GnuPG
> rather than HTTPS/SSL.
> 
> Encryption is only required when emailing credit card details around,
> for obvious reasons.  If you don't collect/email credit card 
> information, or other sensitive details, then you don't need 
> PGP/GnuPG encryption.

With basic ecommerce, I think that is the rule of thumb.  

Once you mention "medical" in the US, the rules change significantly.  HIPAA 
regulations require safeguarding of personally identifiable information as 
well as  encryption over the wire for any personally identifiable 
information when transferred over an insecure network. Once someone puts in 
a comment that identifies a patient you have the meet the HIPAA 
guidelines.   

> 
> In this case, you can switch it off by setting "EncryptProgram" to
> "none" in your catalog.cfg file.  Obviously, with this disabled, if
> you do attempt to email credit card details around then you will
> see messages like "NEED ENCRYPTION ENABLED" in your emails.
> 
> As for the order numbers, why not simply store all of the information
> (date/time, centre number and sequential order number) as separate
> columns when the order is placed?  The columns can then be formatted
> in any way you like in the emails and in any reports etc.
> 
> Having an order number of "12160314-539", as specified, isn't a lot 
> of use if centre code 539 places two orders on the same day, so I assume
> you really want "12160314-539-1".  I would store that information in
> three columns, as I said.
> 
> Storing the details as separate columns would also help when you want
> to perform queries on the order data.  I.e. list all orders from centre
> number 539 during 4Q2003.

I agree with Kevin.  With medical products, you are often required to 
maintain an audit trail.  You may be asked to show all orders.  When an 
order is based on composite fields, you really cant find "missing" orders.  

Many vendor agreements and state licensure requirements insist on the right 
to audit your records on demand.  Make sure your clients responsibilies are 
also being met.
> 
> -- 
>    _/   _/  _/_/_/_/  _/    _/  _/_/_/  _/    _/
>   _/_/_/   _/_/      _/    _/    _/    _/_/  _/   K e v i n   W a l 
> s h _/ _/    _/          _/ _/     _/    _/  _/_/    
> kevin at cursor.biz _/   _/  _/_/_/_/      _/    _/_/_/  _/    _/
> 
> _______________________________________________
> interchange-users mailing list
> interchange-users at icdevgroup.org
> http://www.icdevgroup.org/mailman/listinfo/interchange-users

(I spent 8 years in medical products distribution in what now seems like a 
previous life and now specialize in information security.) :)  

-Paul



More information about the interchange-users mailing list