1

We have a small office (4 people at the moment) and work exclusively with healthcare data (HIPAA protected).

For the past 2 years we've been storing all client data on a mysql database on my local machine using WAMP server (my database currently is around 500GB in size). I'm using a Dell XPS 8300 Intel Core i7-2600 @3.4GHz with 16GB of RAM.

While connected to our network, anyone can access the webserver on my machine and do what they need in the database or access any pages hosted on the webserver.

Due the nature of our data (HIPAA protected) any cloud hosting isn't possible without spending a lot of money.

My question is:
Is it worthwhile to buy a server to use in the office?

The idea is that going forward when upgrading computers, we won't need to buy super high performance desktops, but more rely on a decent server in the office to do the heavy Database work.
Are there other things I need to consider?

Thanks for your time!

tkwargs
  • 111
  • 4

3 Answers3

3

Absolutely.

Production data should never be hosted on anyone's workstation, period.

I suppose it may make sense for you to just put your box in the closet and buy a new one for yourself, if money is an issue and your hardware works for you.

There should only be one server to one service. For example, you should put your MySQL database on its own machine. That way, if you get a virus, or something happens to your box incident to your using it as a workstation, you don't fowl up production, HIPAA protected data. One server per service ensures that if an error from one service causes the server to die or go down, the other services are not affected, since they are on their own servers. This is why most shops use virtual machines: They can still give each service (like MySQL for data) its own machine, but don't waste hardware since they can put multiple VMs on one server. My advice: buy a nice 2U server like this one and set up a virtualbox or VMware hypervisor on it and stick it in your (air-conditioned) closet. Putting it in a server rack would be better, though.

djhaskin987
  • 388
  • 4
  • 14
  • 2
    And to add to this, just consider the fine for a single HIPAA violation if your desktop gets compromised or someone breaks into your small office and steals your new dedicated server out of the coat closet. All of a sudden buying a dedicated server and sticking it in a HIPAA compliant datacenter doesn't sound so bad. – Safado Jul 03 '14 at 14:23
  • 1
    I'm going to go a step further - having a dedicated system also means you can reduce your admin costs by using more turnkey solutions; for example, LAMPStack (http://www.turnkeylinux.org/lampstack) or the like. – Brandon Langley Jul 03 '14 at 14:54
  • Thanks @djhaskin987. I will go the server route and try your suggestions. – tkwargs Jul 03 '14 at 17:15
1

Yes.

Servers are engineered for perfomance and reliability. Desktops are not.

Your local machine. The hard disk. It's two years old and is probably good for another few years. However...what happens if the disk dies? Do you have backups? If not, why not? If you do, do you test them? Can you afford the downtime involved with re-installing Windows, setting up the SQL server and then restore the data?

With a server, if it is set up and used properly it can run for a very long time tolerating power failures (if used with a UPS and multiple PSUs), disk failures (if you have a multi-disk RAID setup) and other component failures. You can get fairly basic, decent servers for a few hundred $currency.

tombull89
  • 2,958
  • 8
  • 39
  • 52
  • Thanks @tombull89. We have many backups as well and monthly mysql dumps. It looks like I'll go the server route – tkwargs Jul 03 '14 at 17:11
1

Due the nature of our data (HIPAA protected) any cloud hosting isn't possible without spending a lot of money.

Amazon Web Services (AWS) allows you to spin up low-cost compute instances that run just about any platform you could imagine, including a LAMP/WAMP server you could use to host your web application. AWS will also sign a Business Associate Agreement which means they are covered under HIPAA.

Building a low-cost cloud hosted HIPAA-compliant solution is extremely possible.

user1914368
  • 41
  • 4