We are working on a multi practice healthcare webform system. Patients will be asked to fill in a questionnaire about their health status during treatment on a regular basis. Forena will be used to graphically report status improvements.
Access to patient submissions_data is only allowed for practitioners from the same practice (that is involved in the treatment).
We have implemented the webform module in a way that patient can enter questionnaires and practitioners can view all webform results. This works great, only practitioners have now access to all patient data, not only from 'their own' practice.
As both patients and practitioners have a field 'practice' in their user fields, we would like to filter the results presented by the Webform module based on the practice fields of the current user and the practice field of the user who made the submission.
Nb. the practice field are protected against changes by the user with a rule in the Rules module.

As a first step we have used the Views_php module to enter a php filter in the view submissions as used by the Webform module.

But we still have a "leak" now as in theory practitioners can find patient results by "hacking" the url or, worse even, use the download to download all patient responses.

Would anyone know a better way to implement this submission_data access control requirement?

Any help would be great !

Thanks

Comments

LeoVe’s picture

LeoVe CreditAttribution: LeoVe commented
Issue summary: View changes
DanChadwick’s picture

DanChadwick CreditAttribution: DanChadwick commented

First, this scares the crap out of me. I don't know what country and rules you have to live by, but in the US there are very serious fines for privacy violation of the HIPAA act.

I suggest that you look through the API file to see what would work for you. There is a submission access hook, if I'm not mistaken. I also suspect that creating your own views with your own privacy protections would be the way to go.

I can't offer you much more site building help beyond that. I'm marking this as fixed, but I'm hoping maybe other webform users can help.

Note: Nothing in this message should be construed as advice or expert opinion about how you should build your site. I have not reviewed the requirements and have not studied the issues.

LeoVe’s picture

LeoVe CreditAttribution: LeoVe commented

Dan,
Thanks for your reaction. For your info: we won't go live if we haven't closed the practitioner 'leaks'. There is no access for anonymous users other then logon and access for logged on patients to only enter submissions and view and edit their own submissions.

I wondered, were you scared because we chose to use Drupal for a system like this?

Thanks Dan

DanChadwick’s picture

DanChadwick CreditAttribution: DanChadwick commented

I'm scared because the penalty for a security mistake is fines immense. As Dries famously said, open source software is always a little broken. It isn't anyone's job to make Drupal perfect.

DanChadwick’s picture

DanChadwick CreditAttribution: DanChadwick commented
Status: Active » Fixed
LeoVe’s picture

LeoVe CreditAttribution: LeoVe commented

Thanks Dan,

Hook_webform_submission_access did the trick.

Just denying access to submissions in the ui and conditional granting access by the access rules in the hook module.

We'll discuss your thoughts with the responsible healthcare institutions.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.