I'd like to update the WIKI for the AWS Marketplace Cloud Packages

Because the data there are outdated.

I need info from an expert on the current differences between the Express and Standard OpenEMR versions, which are the only two AWS options now available.

Does the Standard need a bigger machine?
Does Express not encrypt the database?
Do both prevent caching of pages, so no PHI is left on user devices after logoff?
Why would a user install one or the other?

The Github instructions say, “the Marketplace-supplied instance of OpenEMR Cloud Express does not meet some parts of the HIPAA Security Rule” can some expert be more explicit?

I can research the Amazon machines available.
Amazon will now sign a BAA for any EC2 machine, and one could manually turn on database encryption which Amazon’s BAA requires.

Just FYI AWS now has a “Graviton” option the same size as the t2.micro, 1 core /1gb ram = t4g.micro @ $0.0084 per hour or $6.25/mo included in Amazon’s free tier for a year.
Thus I believe the minimum cost for a standard install is now $6.25/mo, not $75, and one user mentioned a t2 micro ec2 1 core /1gb ram easily supported 20 simultaneous users for a 2 provider office.

Could one of the experts either post the differences here or email me and I’ll update the WIKI?

hi @VWfeature , express plus is available at this link for the east1 region

Hmm, the template says 5.0.2, @jesdynf , isn’t express plus available for v6?

It is using version 6, yes.

However, it’s not the choice of worker instance that makes Standard cost what it does, and (among many other rules) HIPAA requires encryption-at-rest which is incompatible with bare AMIs distributed through Marketplace.

I recommend that you examine Standard and Express Plus and observe how their configurations diverge from the single-AMI slap-and-go and interact with AWS tools and services.

In terms of differences for standard vs express+plus.

Standard separates the webserver from the database server which is a better for both security and availability (it can support more users and more load). On the flip side it is more expensive having the database separated from the webserver. AWS RDS does a number of security checks / updates that you don’t have to manage on your own which is another nice perk but does cost more.

Hi Dr Densmore-Lynn,

HIPAA is covered in several different laws, which makes it complicated. There’s one set of rules for CEHRT for what an EMR has to be able to do, and another for Covered Entities and what they have to do. HIPAA compliance is a process, not a set of rules. Lots of people incorrectly say “you must do this or that,” e.g. encryption.

FWIW, in the Security rule 45 CFR § 164.312 encryption is addressable, not required.

Amazon’s BAA requires PHI to be encrypted, which it is in the AWS Express version I installed (Global setting 1.4.32 to encrypt the DB.) That plus HTTPS should satisfy HIPAA for most users, unless there’s more I don’t know about, which is a huge subject.

Many HIPAA violations have come from PHI cached on user laptops that were stolen. Does OpenEMR prevent caching? I looked at the HTML for the demo and didn’t see the string Cache-Control: no-cache header, but I’m not an HTML expert, so I mention it as a concern which has probably already been addressed by those more expert, not a criticism.

Thanks, Mr Nielson for the detail.

I saw someone commented they easily supported 20 simultaneous users for 2 providers on a t2.micro instance (1 CPU, 1GB ram) but they didn’t mention which version they were running.

This is the kind of info I’d like to put in the WIKI.
Could the experts supply use case anecdotes re ‘how many users’ and versions for people considering OpenEMR?

Am on mobile right now, but don’t forget documents that are uploaded and sit on the file system. Express can’t fix this because Marketplace AMIs can’t ship with encryption turned on, or couldn’t when I was looking at them.

Standard solves this by allocating a second EBS volume and using the managed, audited KMS key to encrypt the drive, then moving the containers to live on the new drive. Express Plus solves it by not having to operate through Marketplace and enjoying more flexibility about how software can be installed post-launch.

I think you’ll be happier working with Express Plus than dealing with the limitations Express imposed.

Remember I’m an ignorant user–

This is from my test install of Express on AWS. I haven’t changed any of these settings.
It looks as though this would encrypt document uploads.

Assuming the setting above would encrypt uploaded documents, all that would be needed for HIPAA is to conform with the Amazon BAA, which requires https and DB encryption.

How would one turn on database encryption? I don’t see it.
I found Administration-Global-Security “Enable Client SSL”

There should be an automated way to set up SSL/https access to the OpenEMR logon. Is there?

I don’t know if that’s different with a domain. I’m just using the access from https://console.aws.amazon.com/

How is Express Plus different from Express?
FWIW, Express Plus isn’t a choice at the AWS OpenEMR store.

Summary-
Express encrypts uploaded documents by default.
Need easy way to turn on DB encryption and https/SSL for HIPAA.

I think you’re right about enabling encryption on drive. Https can be forced with setup of let’s encrypt but the setup of the certs/keys for the mysql->openemr connection is more involved.

Note that not everything stored by OpenEMR is encrypted with that setting:

There are also likely some logs stored there not encrypted and also stuff in tmp and other temporary folders that are not encrypted

I apologize for asking all these detailed questions, but they ARE what US users will need to know. Getting them all in one place and managing for HIPAA compliance are my interests. Thanks for your responses!

There are a lot of moving parts here. My goal is to outline all the requirements for the use case of a solo office to set up OE on AWS EC2, compliant with HIPAA and Amazon’s BAA, without needing the command line.

Amazon’s BAA requires:

• Database encrypted at rest
• SSL/https access over the web
• ‘Highest level of audit logging’ and ‘Maximum retention of logs’

The link Brady sent seems to show that all PHI in OE is encrypted by default, so that’s fine. Blank forms and temp files don’t need to be encrypted.

The link Stephen gave for setup of let’s encrypt goes to the Lightsail installer. Since Lightsail is still not on the AWS “HIPAA eligible” list, I don’t think it solves the problem of how to get https on EC2?
Based on what I see, adding SSL is the only requirement to make Express eligible for compliance w HIPAA.
Is there a way to add automatic SSL/https access to the AWS installs?

The AWS store has the Express and Standard installs.
Can the Express Plus be added? I get that EP is setup using AWS CloudFormation, but not how that changes anything for the user.
How is Express Plus different from Express, since they’re both HIPAA eligible services?

The least $$ EC2 instances are now ‘Graviton’ t4. The t4.micro has 2CPUs, vs. 1 for t3.micro and same 1GiB ram, will run Linux, so is there any reason not to use t4 instances for OE? (They’re not allowed last time I looked.)

Express Plus isn’t in the AWS Marketplace, that’s correct – it’s a CloudFormation template that sidesteps Marketplace deployment rules and picks up everything it can inexpensively leverage in AWS without the expensive production RDS instance.

Adding Let’s Encrypt at first launch to Standard or Express Plus isn’t feasible because it requires DNS configuration – LE requires that there be DNS somewhere that points to the agent, and there’s not a sensible way to communicate those changes in time.

It would probably be possible to add it to Standard; I continue to encourage you to familiarize yourself with how those products are configured, because the steps they take are the answers I’ve given to HIPAA eligibility. See the openemr-devops repo; look for the Troposphere Python document that generates the CloudFormation template. You’d need to force the domain to be hosted in Route53, and them add some bridging (maybe another Lambda function?) capable of adding or updating the A record with the created instance and then watiting out TTL before the CFT was allowed to continue processing.

The Graviton instances are ARM instances, and we actually have ARM builds for OpenEMR – I was targetting the Raspberry Pi, but we do have them – but I have to manually build all the images for Express and Standard and I don’t think I can use a different AMI for different instance targets, I’d need third and fourth catalog entries (Express ARM, Standard ARM?) for that and right now there’s no (okay, one) demand for them.

I have to say I disagree with your premise that “addressable” means “ignorable” – yes, it’s true that you could just write down “didn’t do it lol” and declare you’ve met that specific requirement of documentation, but you’ll see “reasonable and appropriate” used in discussions of the Security Rule. HIPAA sets out broad expectations for what’s expected, and Express fall so far short of what’s possible with the platform (automated off-instance document backups, managed database, managed encryption, CloudWatch logs, proper networking security, fresh stack restores) that it’s hard to say Express’ lack of capacity can be said to be reasonable. Express was designed for developers and off-shore users who didn’t have HIPAA breathing down their necks. I don’t intend to permit Express to be relabeled as HIPAA-eligible without a correction from somebody with experience as a compliance officer.

(Also, as a minor point, I’m not a doctor.)

https://www.hipaajournal.com/hipaa-encryption-requirements/

If you are operating in a local network just inside your own firewalled office where the information never leaves your network and there is no network access to the OpenEMR installation than you could argue in your security audit and HIPAA documentation that your other security measures have mitigated the need for encryption of the data. This type of use case is what HIPAA security bulletins have outlined as the rationale for why the encryption requirement is ‘addressable’ and not ‘required’.

I’m pretty confident from my own detailed analysis of the AWS Cloud and HIPAA security requirements that using an AWS cloud version of OpenEMR requires using encryption at rest as well as end to end encryption during transit (data moving over the networks). Failing to have the data encrypted at all points of the application while running in the cloud will open up the organization to Tier 3 and potentially Tier 4 HIPAA violation penalties in the event of a breach.

In my own HIPAA applications I actually go a step further and use Amazon KMS to encrypt PHI data at the individual column level. At some point I’ll be writing a module to add this capability to OpenEMR as it makes security audits even easier as a compromise of the database data (at the application level) does not constitute a security breach.

So if I understand correctly, the Express from AWS marketplace encrypts the DB, plus other saved documents, which is all the PHI it contains. It has some sort of logging which is turned on by default, and of course https access can be set up. I understand 2FA is available too, thanks to Brady.

That means it satisfies Amazon’s BAA, plus HHS’s requirements for using a cloud service, which is basically to have a BAA.

That means Express can satisfy the requirements of a privacy policy, which means there’s no HIPAA problem.

I recall Express has automated data backup.
Can that be directed to an S3 bucket or a server in my closet?
Is the default backup the same machine as the installation?

I have a long rant about HIPAA, but briefly, if a Covered Entity (CE) has a privacy policy and has made a security assessment and follows them, the CE is compliant with HIPAA.

The questions I needed answered are:
Does Express encrypt the database? YES
Does Express keep logs? I presume so.

I don’t see why you are concerned about a Covered Entity (CE) being compliant with their privacy policy and security risk assessment with Express.

.
.

Background information about HIPAA–

"HHS and OCR do not endorse any private consultants’ or education providers’ seminars, materials or systems, and do not certify any persons or products as "HIPAA compliant." "

"OCR has investigated and resolved over 29,149 cases by requiring changes in privacy practices and corrective actions by, or providing technical assistance.…To date, OCR has settled or imposed a civil money penalty in 101 cases "

"OCR reviews the information, or evidence, that it gathers in each case. In some cases, it may determine that the covered entity did not violate the requirements of the Privacy or Security Rule. If the evidence indicates that the covered entity was not in compliance, OCR will attempt to resolve the case with the covered entity by obtaining:

• Voluntary compliance;
• Corrective action; and/or
• Resolution agreement.

Most Privacy and Security Rule investigations are concluded to the satisfaction of OCR through these types of resolutions."

just FYI-
In one of the 101 cases where ONC levied a fine, a laptop with ~1300 entire patient records was stolen. It had no encryption or other security.
The clinic had no security officer or privacy policy, had not done a security assessment, and did not notify patients about the data breach.

that’s incorrect, it’s express plus that encrypts the db and saved documents

I was basing that on Brady’s comment

And the confusion is why I’m asking!
Amazon’s BAA requires PHI encryption.

Also, could someone comment about OpenEMR preventing or not preventing browser caching PHI on users’ machines?

Having PHI cached, and then having laptops stolen is a common way PHI gets breached. If PHI is cached, CEs’ privacy policies and security assessments need to address it. If all the PHI is only on the server, that makes protecting it much easier.

Pretty much every php page (those that would have patient data on them) that I see on OpenEMR tells the browser not to cache.

The cache header that is used is here:
Cache-Control: no-store, no-cache, must-revalidate

I haven’t seen anything on javascript land that uses local-storage or the session-storage to cache anything. OpenEMR in all of the codebase areas I’ve been involved in does not do much caching at all anywhere which is both a blessing for PHI security and a curse for performance.

BTW this assumes that a user is using the modern mainstream browsers without any nefarious extensions installed. There is literally nothing you can do to prevent caching if the end-user does not use mainstream browsers. I’m pretty sure you know this already, but in case anyone else is reading this post I wanted to make the obvious point.