I’ve been fooling around with OpenEMR for a few months now and really enjoy it. I didn’t have much luck with XAMPP on my Mac, but since creating a Debian VM on my Mac and following Brady Miller’s Easy Docker Development videos I’ve been able to create my own instance of OpenEMR. Even better, it actually works, allowing me to play with more of the features, like the layout-based forms. I’ve even gotten the Weno Exchange test pharmacy working too.
My question is: can this environment be used for real? What changes (if any) would need to be made to lock it down? In one of Brady’s videos, he used the openemr-cmd dr command to reset OpenEMR w/o the automatic setup/configuration, allowing one to manually setup/configure the testing environment. Would that help lock it down “enough”? I also saw a Wiki about making various scripting changes to make OpenEMR more secure after an update, is that a better method?
I assume the answers to the above questions depend on my use case. I’m a Psychiatric NP and see about 50 people at a Board & Care. I’m the only one that would ever have access to this program and it won’t be accessed via the internet. The only internet access would be Weno Exchange sending new prescriptions to the pharmacy. I have to use a separate billing process, so I won’t be using it for billing at this time either.
I appreciate any insight one can provide me. Thank you!
Hi @Even_Pitch ,
I also started using openemer few months ago. I installed my openemr on a debian VM machine in the cloud. I was able to use the cloud provider firewall to restric access to my home and office IP addresses. I have been using it to write notes and submit claims and it is working for my use case.
While OpenEMR can be installed on a VM machine on your computer, I believe the cloud offers a much safer and more reliable option. With a cloud setup, you mitigate risks such as hard drive failure, theft of your laptop, using less PC resources (memory / CPU) … etc. It also allow you to add users (providers, nurses, front desk, …etc) giving you peace of mind and allowing you to focus on your practice.
I have been debating between computer-based environment vs a cloud-based environment for my Open-EMR setup as well. While I do use a VPN on the regular, with a cloud-based environment, there is the chance of an internet outage, which is a risk up there with hard drive failure or stolen laptop. If I were to use a cloud-based environment, it would be self-hosted because I just don’t want a third-party involved. Also, being the only person using Open-EMR, and seeing as I’d only be using it for 50 patients for the foreseeable future, I don’t want to pay for a third-party cloud service either.
Whether I use a cloud-based environment or computer-based environment, I am still curious, can I use the Easy Docker Development release in a live environment? And, if so, what security changes should be made (if any) to the Easy Docker Development release prior to using it in a live environment?
Hi @Even_Pitch ,
Short answer is would not use this in productions since there are many things in there that makes the developers lives much easier but are not secure (such as xdebug use in addition other things i can’t recall ). Trying to secure it after the fact would not be easy and I’d worry that would miss things. Now that you are proficient at docker would instead build upon a openemr production stack in your ubuntu VM (if going to use computer-based rathe than cloud based). Here is a good starting point docker-compose.yml : openemr/docker/production/docker-compose.yml at v7_0_2_3 · openemr/openemr · GitHub
(ensure change MYSQL_USER, MYSQL_PASS, OE_USER, OE_PASS setting to something else; OpenEMR will use these when building the database and installing OpenEMR).
Then recommend ensure have a good strategy for backup and restore before going into production. And also put some thought into security (ie. ensure using https instead of http etc.). Note with the production stack everything is contained within the docker, so need to go into the docker to do server related stuff. A very nice thing about the production docker stacks is that very easy to upgrade to new OpenEMR versions in the future.
Thank you so much @brady.miller! Understood. I’ll get started with the link after the New Year.
One “last” question if you don’t mind. Is the openemr-cmd available on the production version? It took me several hours working with the LBFs, creating a “fancy” progress note template in the easy development version, along with creating some test psychiatric patients and used the openemr-cmd to create a snapshot/capsule. So, I’m wondering, once I create the docker production version on my VM, is the openemr-cmd available to restore from the capsule/snapshot I created?
Hi @Even_Pitch ,
The production versions do not have openemr-cmd and will rely on more traditional mechanism of backing up (both the entire codebase and the database) rather than the easy-dev way which is able to take a shortcut in order to make easier to work from most recent codebase in easy-dev for developers (the snapshot only saves the sites directory and the database and does not save the codebase). Also, in your case, note you are working on most recent development version so won’t be able to take your database changes backwards to a prior production version.