How secure is having OpenEMR running on line?

octort wrote on Wednesday, June 01, 2011:

I just install OpenEMR on the web and it is running fine so far. I need to know if it is safe to start loading patients data now or I need to install additional features to make it more secure. i will appreciate any comments or suggestions. Thanks!

tmccormi wrote on Wednesday, June 01, 2011:

That depends entirely on how you installed it and where.  “the web” is a very broad term.  If you don’t know how secure it is, then it’s like to be VERY VERY insecure.  HIPAA compliance is not easy. 
-Tony

tkersey wrote on Friday, July 01, 2011:

IMHO, the only way to totally secure anything is to lock it up and never allow access to it from anywhere, especially the internet.  However, even the gov understands that is really about risk assessment.  We can reduce the risk of compromise with firewalls, limited access, encryption,etc.; but, nothing is ever really secure that is attached to the internet.  Hackers break into government installations, banks, and other “secure” sites quite frequently.  There is a conflict (I think) between HIPAA rules and the government mandated EHR access.  I could be wrong,  what do you think?

bradymiller wrote on Saturday, July 02, 2011:

hi,

If place OpenEMR on the web recommend forcing Client Certificate Authentication With Apache (ie. I would not rely on OpenEMR’s authentication).

-brady

octort wrote on Tuesday, August 16, 2011:

HTTPS is not enough for security?

sunsetsystems wrote on Tuesday, August 16, 2011:

As Brady suggests, HTTPS should be pretty good IF used in conjunction with client-side certificates.  OpenEMR’s security is not adequately tested to trust anything less.

Rod
www.sunsetsystems.com

octort wrote on Friday, October 28, 2011:

HTTPS encrypt data only from the Host to the Client but not from MySQL server to the the Host or from MySQL to a remote Client, am I right? I saw an option to enable SSL on MySQL for remote connections (I do access remotely my DB), If I enable SSL on MySQL, do I have to change some setting in OpenEMR? Thanks!

bradymiller wrote on Saturday, October 29, 2011:

Hi,

Check out:
http://dev.mysql.com/doc/refman/5.0/en/secure-basics.html

It looks like this feature needs to be compiled within mysql (so would ensure that your instance of mysql supports it). This mysql feature is independent of OpenEMR(ie. no settings should need to be modified within OpenEMR).

-brady

octort wrote on Tuesday, November 01, 2011:

I requested a MySQL SSL install to my hosting company, looks like the MySQL version needs to be changed:

The current version of MySQL (5.0.92) on your system does not support SSL encryption and we would not be able to install the certificate at this time.  In order to do the install, we would need to upgrade the version to the latest version supported by cPanel (which is currently 5.1.56) which does support SSL connections.

My question now is, if OpenEMR will work with the version 5.1.56? Thanks in advance!

bradymiller wrote on Wednesday, November 02, 2011:

Hi,

Should be fine as long as it’s configured the same. Would test it out first.

-brady

octort wrote on Monday, November 14, 2011:

It is working just fine, thanks!