Best practices for keeping the web server data protected

Question

Lets say I run a medical facility and want a website where my users/patients can lookup their private records. What would be the best solution

Answer 1

Ok I will just try to build up a little on what you already proposed. Firstly you might want to research the technologies behind mega website; it uses presumably exactly what you'd be interested. On the fly JS based encryption however still does have some weaknesses. That being said it would not be easy to implement on the fly decryption of the records with js and html, not impossible though. Thus yes I would say you are generally thinking in the right direction.

Regardless you would have to consider all the common attack techniques and defenses (website attacks, server attacks etc.), but this topic is way too broad to be covered fully and completely in a single answer. And needless to say those are already very well covered in other answers.

As for 'architecture', if you are really paranoid you could also have the database on a separate server, which runs the database on an obscure port and allows incoming connections only from the webserver.