I am working on a proposal for setting up a HIPAA compliant Web application with a SQL Server 2005 backend, and I have a couple of questions for those of you who work in an environment where you administer a database for a Web application front end. What are some network topology considerations that you have found to be very beneficial (i.e. placing hardware/software firewalls, routers, and intrusion detection devices between Web server and the data server). As far as PHI is concerned, what do you have encrypted, if anything, in the data tables? Most of what I have read concerns encryption over the wire in an "open" environment, but never gives any real specifications as to algorithms and the like. I was just wondering on what some of the considerations you all take.
Thanks in advance,