So I’ve been working a program, exact details don’t matter, which stores information in a database(either locally hosted or privately hosted by user). Basically it’s to store a history of seizures and medication, so you can give it to a doctor and see something like “well most seizures occur in morning so let’s give medication at 6am instead of 8am” or something like that. To do that requires two “accounts” one for caregiver and one for patient(idea is for parents of a child with medical issues). It requires accounts to see like “dad gave medicine at 7pm” or “mom saw child 1 have a seizure at 230pm”. These are basically just names stored in the local/private database, I will not no them or track them.
I don’t want to deal with hippa or be responsible for medical data so I specifically don’t want to host the data. Assuming you had a use for this and the ability host the database would you be turned off by the requirements of “accounts” even if you completely controlled them?
You must log in or register to comment.
Is there any reason it couldn’t be local only and just given to the caregiver over the phone?
So this is being built for me, may release it to public don’t know. My logic is basically personal pc hosts dB and has a api to handle working with dB. On my phone and girlfriend phone and potentially babysitter phone have a ui(probably Maui) to generate api calls and send to my pc.
Also potentially thinking may get some free webserver (basically like <20 api calls a days max and small dB with maybe 1000 rows) not for security of the data but more just not having open network ports to the internet without having the security infrastructure.
Kid has bad epilepsy and is also non-verbal autistic(well, partially verbal). I wanted a way to track seizures and give a doctor like a csv or maybe even a some graphs for like time of day, activity when seizure occurred, seizure vs most recent medication etc. Doctor asks “how frequent are his seizures?” a response of 2.7 seizures per day on average with the highest tendency around breakfast time is probably more helpful than “eh, seems better than last year but still pretty bad”
Plus I want to track when he has been given medication. He gets medication at 7pm for example. I look at clock at see it’s 715, now I have to go to my girlfriend “did kid have his medicine?” or he has other medication at 2pm, let’s say it’s a weekend and I take a nap. I wake up at 330, I ask if he had his medication…“umm I think I gave it to him”.
The point is to have 1 point of truth with multiple clients able to update that truth, I can’t do that if the system is local only.
There’s a lot to unpack here but just one thing:
Also potentially thinking may get some free webserver (basically like <20 api calls a days max and small dB with maybe 1000 rows) not for security of the data but more just not having open network ports to the internet without having the security infrastructure.
This sounds like the kind of data you really want to keep locally and I wouldn’t trust any free (or even affordable) webhosting business with it. I think it’s wise to keep the db and app server local and terminate the TLS locally too. You can still get a cheap VPS or two that you open a secure VPN (like wireguard) and/or SSH tunnel to. Then on the VPS you run can a second, outer, reverse proxy that forwards requests to your internal one over the gateway link. This way you get to keep the data local and safe without having to expose your home net online.
Many people enjoy Tailscale for this. There are full self-hosted options for that too but it sounds like their solution might fit your situation and requirements.
If even that feels unsafe, I really think you need to step up a bit on segregating and isolating your stuff, maybe do some homework on security, before putting sensitive stuff like this on shared infra…
I don’t want to deal with hippa or be responsible for medical data so I specifically don’t want to host the data
The only (legal) way to not deal with HIPPA is to make sure you’re not in scope for HIPPA. IANAL but it sounds like you (or worse, somebody else) will retain control and management of medical data with your intended approach no matter where you host it and how other users authorize?
You can’t architect, outsource, or encrypt your way out of that. A fully peer-to-peer solution which keeps the data on user devices and under their control and utilizes external server for signalling only but not for relaying or auth might get you there though.
The whole idea behind having it hosted is to be able to record stuff when not at home. For example he had a seizure in the bathroom of a gas station the other day. I’d like to be able to use an app on my phone to generate a json file and send it to a server where it’s recorded in a dB.
The big thing I want is to be able to go to a doctor’s appointment and have a list of all seizures with applicable details. Like “in the last 6 months he had 84 seizures but you added medication X 4 months ago and as you can see that resulted in a 80% reduction in seizures on a weekly basis” or “he had 45 seizures in 3 months but they mostly happen just after lunch, can we adjust the medication schedule to account for lunch time?”
I don’t want it locally on my phone completely because I want his mother(my girlfriend) to also be able to record incidents if I’m not around and have everything sync to one source of truth. Yeah I guess it’s possible to record on my phone, record on her phone and then do some sort of merge to generate the full report but that seems really messy.
What I hear you say is: This would be convenient and easy for the user. Doing it differently, in a safer way that’s not problematically under scope for data protection regulations, would be more effort, not what you’re used to and “messy”. Certain useful features seem like they’d require more upfront work and the while system would be more complex and unfamiliar.
How is that relevant? None of that changes what you’re actually asking about or makes it a good approach. I don’t see how it’d make it either safer or less legally problematic?
Ok, so what other solutions are there? I want the ability to record medication doses given and seizure incidents from multiple sources into one collection and potentially pull that data to make reports?
DM me if you’d like to discuss further consulting on this project. I do think I could help you. However, reaching a proper design for this that is actually appropriate for your situation is non-trivial, goes beyond the scope of lemmy thread and would likely be paid.
I would also like these things to be easier and just be able to point you to something existing but the reality is they currently aren’t and such solution isn’t. But if you do push ahead and are open to sharing (potential security tradeoffs there too), maybe you’re in a position to be part of improving that situation.
