How to be secure? How much should SSL cost?

[ruggeddesign]

Hello,

I was hoping someone with some experience with coding HIPPA-compliant offsite storage databases and/or e-commerce experience in a secure environment could help me with a couple of questions?

How can I secure a website against eavesdroppers? I assume I need an https connection for all pages transmitting or receiving unencrypted records / login information, do I also need a dedicated IP?

Bluehost.com is my provider and they are offering an ssl certificate and dedicated IP address along with some extra features for ~$240/month which seems out of reach at the moment.

I understand how to encrypt records to protect against unauthorized access/theft of data, and have even taken measures to protect against rainbow tables by salting the encryption and iterating through encryption 1000 times as I learned in this article.

I am just worried that about anybody could theoretically eavesdrop on a regular http connection (plain text, right?) so I have not transferred any patient records or anything else to the web quite yet.

Any general/specific advice would be greatly appreciated. I like to read if you have some links or resources you would like to point me towards, bring them on.

Thank you.

[oracleguy]

Well that article has some good information I wouldn't use MD5 or SHA1 for passwords, especially if you are dealing with HIPPA compliance. I would use SHA256 instead. Hashing the hashes iteratively 100 times isn't really going to make that big of a difference compared to the other possible attack vectors.

You certainly should be using HTTPS for sensitive data like patient records. I don't know a lot about HIPPA compliance but using a shared server with other customers might be a problem. And if BlueHost doesn't keep up to date on a security patches for the software running on the server, that also could be a serious problem.