L
L
lifehardcore2015-01-18 15:11:35
Data protection
lifehardcore, 2015-01-18 15:11:35

How to organize the protection of personal data for a medical information system?

Good afternoon!
I am developing an integrated medical information system and faced the issue of protecting personal data of category K1 in accordance with the law 152-FZ. The question arose, what to do, how to be? Where to begin?
Now the test version of the system is running on a VDS running Debian 7. I use nginx+php-fpm as an http server. The project was conceived as a SaaS solution for medical institutions, but recently it turned out that we do not have the right to launch such a system, since we will not receive a certificate from the FSB and FSTEC, they say they will refuse us due to the inability to protect K1 data using the selected technology.
If constructively, then:
1. It is clear that data encryption is needed. How to implement? Does it make sense to use HTTPS and an SSL certificate?
2. Does it make sense to buy AltLinux certified for storing personal data, or can you still use the same Debian 7?
3. How to prepare an application for verification and certification in the FSTEC?
4. What should you pay attention to first of all?
5. At the moment I am studying the following regulatory documents: FZ-152, FSTEC No. 17, FSTEC No. 21. What else should be explored?
6. What technical solutions do I have to use?
7. What minimum measures are sufficient?
I really hope for the support of experts in this matter!

Answer the question

In order to leave comments, you need to log in

1 answer(s)
E
Eugene, 2015-01-19
@lifehardcore

There are no classes now. K1 is an outdated classification.
Study Government Decree No. 1119 and determine the required level of security (LL).
When determining KM, consider that threats of the 1st and 2nd types (undeclared capabilities in system and application software) are irrelevant for you, otherwise you will have strict requirements for information security tools.
For encryption, read FSB Order No. 378
The measures are described in Order 21 of the FSTEC. It will be difficult for you to get away from certified solutions, especially if you offer it as a service.
Please note that the installation of certified cryptographic information protection tools requires an FSB license, in your case you will need to invite a licensee.
In general, the topic of creating a SZPD is complex and voluminous, it is necessary to make compromises between the functionality and the implementation of the law.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question