We set up our db server with two nics, one that only connects with the app server and one that doesn't have any external routing but is only reachable through a vpn for management. I consider that just good practice regardless of the information you are storing. HIPAA compliance is a nebulous beast but to my best knowledge the basic setup I've described will satisfy it. Much bigger questions start to come in though when you talk about user access to data, authentication schemes, audit trails, etc.
Judah On Tue, Jan 13, 2009 at 2:54 PM, Dan Crouch <stario...@yahoo.com> wrote: > Does anyone have any knowledge of HIPAA compliance related to web and > database server setup? Specifically, if I have one database server and one > web server, does the database server need to be completely removed from the > internet or can the firewall filter out everything but what I need to > communicate between the two servers anyhow, like the SQL Server Port? > > Just curious if anyone else has run into this situation with setting up a new > set of servers and how much separation on the network there needs to be > between the web and DB servers for HIPAA compliance. We do have private > health information but no financial (PCI) info. > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:317910 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4