Confidential comments

Hi. I’m building a website for a medical organisation. They want to allow visitors to the website to be able to contact them about medical issues and, since these may be confidential, I want to be able to recommend an appropriately secure way for them to do this. I want to use comments to allow them to submit these queries as it makes maximum use of WP and is way more secure than email.

I think my recommendations should be:
1. Run the site over https with a good SSL certificate;
2. Require strong passwords for the admin area;
3. Permissions on all files to be 644.

Is this going to be sufficient? Is WordPress and comments appropriately secure for this? Can I run the site over http except for a specific page or two?

I’m not an expert so any advice would be helpful. Thanks.