Best practices for keeping the web server data protected

Question

Lets say I run a medical facility and want a website where my users/patients can lookup their private records. What would be the best solution

Answer 1

This is what I'm thinking:

All records are store in my home computer (offline) encrypted with my personal key. Within this computer there's the patient records and a private and a public key for each user. This computer uploads new data, as is, encrypter to the webserver.

The webserver only contains encrypted data.

I supply the public key to my users. Be it using email sent from somewhere else, or even by snail mail.

Webserver decrypts data on every request. Because the users password is its public key, decription on the server can only happen while there's an active session.

Because there's asymetric keys in play, I can even insert new encrypted data on the webserver (user input) and later fetch it to my offline-computer.

Downside: Requesting a new password requires the offline-computer to upload re-encrypted data, and to send a new password somehow.

Upside: Makes the webserver security concerns less relevant.

Is this the best solution?