How do I make my application using Mongodb and nodejs HIPAA compliant? - mongodb

I am writing an application to be used potentially by doctors to keep in notes about patients (my app is not targeted for doctors but other professions don't need such strict rules).
My app is written in nodejs and only the backend can access the database with an authenticated user account and following all common security practices such as firewall rules etc.
I read about HIPAA compliance but most of them don't apply because no user specifically has access to the database unless it's coming from the API of the backend for which of course you need to authenticate against my app with SSL.
How can I be confident that doctors can use my app? Is there any authentication test/certificate etc?

The mongodb website has a great example of Hippa compliance standard,I think the following will help you:
https://www.mongodb.com/blog/post/making-hipaa-compliant-applications-mongodb

AWS based applications can be made HIPAA compliant by referring the following detailed documentation of AWS https://aws.amazon.com/compliance/hipaa-compliance/
There is a nicely written whitepaper by AWS available at the above mentioned link

Related

Can openiddict have equivalent features of AWS Cognito like: User pool, App ID and Custom claims

I would like to find out if openiddict (https://github.com/openiddict/openiddict-core) and
Amazon Cognito.
I plan to use ABP OpenIddict Module (https://docs.abp.io/en/abp/6.0/Modules/OpenIddict
which provides advanced authentication features like single sign-on, single log-out, and API access control. This module persists applications, scopes, and other OpenIddict-related objects to the database.
In this video at the time mark: Amazon EKS SaaS deep dive: A multi-tenant EKS SaaS solution
https://youtu.be/tXVLjWjEEwo?t=1250
You can see the onboarding experience when a SaaS tenant selects to provision its infrastructure and application using EKS Kubernetes.
Amazon Cognito creates User pool, App ID and Custom claims for the tenant.
Can OpenIddict have equivalent functionality?
I would like to rebuild AWS SaaS provisioning with DigitalOcean kubernetes and abp.io framework.
Thank you.
Short answer:
Yes, you could implement a similar solution.
Long anser:
Abp is an opinionated framework with a lot of best practices pre implemented for you. You need to understand how ABP does things in the first place to understand how to extend it. For selfservice onboarding you have to create your own registration process, which in turn would create a user and tenant.
Also openiddic is for all intents and purposes already implemented. Creating a selfservice onboarding would probably only touch the Account Module, the Tenant Management Module and the Identity Module
Read the doc on the abp site:
[https://docs.abp.io/en/abp/latest/Modules/Account][1]
[https://docs.abp.io/en/abp/latest/Modules/Tenant-Management][2]
[https://docs.abp.io/en/abp/latest/Modules/Identity][3]

Is it safe to use Firestore and its features via client only? [duplicate]

This question already has an answer here:
Why is it okay to allow writes into Firebase from the client side?
(1 answer)
Closed 3 years ago.
If I use the prod environment variables in my App and set the server side rules for Firestore, would my app be completely secure to perform CRUD and authentication? I am asking this because I have been seeing Angular tutorials by pretty famous YouTube content creators (Fireship) and they do not touch server side code and still show how to make a production applications. All the tutorials use only Angular and some libraries to produce the apps and features but then the console on Google says not to expose the API keys. Using only client side Angular even in production environment variables exposes the private keys right?
So in short, should I be using Node to CRUD and Auth with Firestore, or server-side rules on the console works safe?
The configuration that you use on the client to get it to communicate directly with Firebase services is does not include a private API key. Much has been said about this in various forums over the past few years. The thing you see that might be labeled an API key is actually public information. It helps the client library locate the project it's working against. The API keys you want to hide are those that exposed direct access to other billed services, including Google Cloud service accounts.
You limit access to Firebase backend services (Cloud Firestore, Realtime Database, Cloud Storage) using security rules to determine what a user can or can not do with the data stored in it. If you don't do this correctly, you could have problems.
Whether or not you want to let the client access the services directly or make the client go through some middleware you write should be decided by other reasons, as discussed in this article.

TOTP radius server for Citrix XenApp

I'm looking for astandards-based TOTP (time-based one time password) authentication server to implement strong security for my Netscaler appliance.
I was not able to find a radius server with easy to use interface that supports Google Authenticator.
Grateful if you can suggest a solution!
Thanks
Not sure about how easy to use this solution is, but what Citrix suggests is OpenOTP. It supports Google Authenticator (in addition to others). It is free for 25 users, 50 users will cost you at least 1000EUR
Another solution is TOTPRadius, no pricing info is available, but it is the only one supporting self-registration if using Citrix StoreFront.
p.s. Sorry, forgot to add a disclaimer: I am affiliated with Token2
Update regarding OpenOTP: it is free for 40 users. Please ask RCDevs for actual pricing regarding more users.
Starting with 50 users you are entiteled to install the OpenOTP/WebADM Backend as an active/active cluster (2 servers).
The OpenOTP Token App supports additional features compared to Google Authenticator.
For fast evaluation, virtual appliances (for Oracle Virtual Box or VMware) are available under here.
Protectimus provides 2FA solution for strong protection against unauthorized account access within Citrix XenApp. It also has a status of Citrix Ready. You can contact sales team for actual pricing.
Disclaimer: I work for Protectimus

Are Database-as-a-Service providers like Modulus and Mongolab actually secure?

Recently, I have been looking at the security of the customer data for my product and found out that one major concern was using third-party services like Mongolab, Modulus, Heroku.
Are these products actually secure? I understand that you can only do so much to secure the services on the cloud where you get shared resources, but even from a cloud standpoint, do you guys feel comfortable using these services?
I was checking with mlab and as far as you can got is:
ssl for connection protection,
authentication -
but there is one question left: Is data at rest encrypted?
If you need to comply with data protection acts (PCI) - this could be still an issue, but for other purposes I have no issues with mLab service.
Any comments welcome!

Amazon web services issue. Should I pay for the web services? [closed]

Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
I'm new in iOS development, and I faced an issue with amazon.
I wanna gain information about amazon products with amazon web servises. I wanna enter the keyword and get information about proper products.
I looked at http://aws.amazon.com/mobile/ and saw that I should register. During the registration Amazon asked me about my Visa card information and then tried to withdraw 1 dollar.
The questions are:
Should I pay for amazon web services
Is it compulsory to register or I can just download Amazon sdk from http://aws.amazon.com/sdkforios/
Can you give some Amazon sdk code examples?
AWS is paid service. So, it's not a matter whether you should or not pay for using AWS. You MUST pay for the capacity you have used.
The pricing differs between the various services and is typically listed in http://aws.amazon.com/<service name>/pricing/. Here are couple of examples - EC2, S3.
Note that for some of the services there is a free tier for about a year, as long as you stay under certain amount of usage. So, while you WILL get a bill every month, that bill might be for $0.
More about the AWS Free Usage Tier.
You can download the client SDKs freely and write code against it. However, to actually run it against AWS, you will need AWS Access Key ID and Secret Access Key, so that AWS servers can authenticate the requests from your application (and incidentally also bil you properly for your usage).
You should start with the Getting Started with the AWS SDK for iOS and the AWS SDK for iOS FAQs. The SDK also contains bunch of sample apps into the <SDK install folder>/samples folder.
Update:
Ah, you want to search the Amazon catalog? That's different from AWS. AWS is intended to provide you access to computing resources (storage, CPU, load balancing, and so on) for your own services. For your scenario you need to use the Amazon Affiliate Program Product Advertising API.
While that API does share credentials with AWS (it uses the AWS Access Key ID and Secret Key), it most likely is free (but double check to be sure), as amazon will be making money on any product your users buy.
Also, the Product Advertising API does not have client SDKs (as far as I know), so you will have to deal with making the HTTP requests yourself. The API supports both REST and SOAP, so you can choose your own poison. There's also bunch of samples for both server and client apps, in PHP, C#, Java, Node.js, Ruby, and so on.
AWS is great! Its totally worth the price. So you can download the AWS iOS SDK and integrate it into your project; however, before it will work you need to signup. I would give you some examples but I don't fully understand what you're asking. The AWS iOS SDK has tons of code samples in it. If you want, you can comment on this post what you want to use AWS for and then I can help you come up with the code to achieve it :) I hope you have fun with iOS Development, its great :)
Good Luck!
Are you maybe confusing Amazon web services with a request API? You said:
I want to enter the keywork "iphone" and get some iphone products on amazon with its description and price
That is what an amazon web API would do (from this question, I understand there is maybe no such thing for Amazon?). AWS is a cloud service where you can run your programs and pay according to the resources you use. Think of that as a web host.
All in all, AWS is not directly related to Amazon content, if I understood correctly this is not what you want.
Yes of course you have to pay.
You can download it without registration, but you have to register to use it.
There is Documentation in AWS SDK for iOS.