Hello there,
I was wondering if someone could answer the questions about the certification requirements for OpenEMR, I haven’t been able to find an answer to:
Thanks!
https://www.open-emr.org/wiki/index.php/Integrity_(MU2) from https://www.open-emr.org/wiki/index.php/OpenEMR_Certification_Stage_II_Meaningful_Use#Privacy_and_Security_.28170.314.28d.29.29
Thanks, that’s what I was looking for…
Seems that one of the related criteria (170.315(d)(8) Integrity) is explicitly requiring SHA-2 algorithm for hashing.
Can anyone please confirm that the latest OpenEMR is compliant with this requirement?
170.315(d)(8) Integrity – The hashing algorithm listed was SHA-1. The minimum version required is SHA-2. You will need to update your product to support one of the following SHA-2 algorithms in order to be granted certification to (d)(8):
o SHA-224,
o SHA-256
o SHA-384
o SHA-512
o SHA-512/224
o SHA-512/256
I’m not sure about messaging but it would appear that user passwords use sha-1.
If you look in openemr/library/authentication/ you can find it in the password_hashing.php file. I imagine it wouldn’t be too much of an undertaking to move to switch to sha-2.
hi @igorjovanovic,
that’s for 2015 CEHRT but not part of the base EHR definition which is what we are shooting for this year. OpenEMR did achieve 2014 CEHRT which supports 170.314(d)(8)
Hi @igorjovanovic ,
If I’m understanding this correctly OpenEMR is currently compliant with 170.314(d)(8) under meaningful use 2.
You’re looking for compliance with 170.315(d)(8), under meaningful use 3. I believe meaningful use 3 requirements were only finalized earlier this month.
Meaningful Use 3 compliance/certification is in the works. It’s just a matter of finding the developer hours to get it all implemented.
Is your question more about the status of meaningful use 3 or SHA-2 messaging specifically? If it’s something you need sooner rather than later, google summer of code is about to start. You could see if one of participants wants to take on updating from SHA-1 to SHA-2 as part of their project.
Are you on slack? If you have more questions about meaningful use and certification maybe we could start a slack channel to discuss further:
https://www.open-emr.org/wiki/index.php/OpenEMR_Slack_Chat
Many thanks Rachel!
Yes, we’re interested in implementing SHA-2 as per 170.315 (d)(8) and are willing to dedicate developer hours for the task.
Can you share more details, including the requirements?
Igor
the ink isn’t dry on the cures act and it’s not yet published in the federal register so there’s no up to date info for testing but there’s this:
https://www.healthit.gov/topic/certification-ehrs/onc-health-it-certification-program-test-method-2020-preview
Hi Igor,
So reading the below link, which may not be the most up to date given the recent finalization:
https://www.healthit.gov/test-method/integrity
“Technical outcome – The health IT can create a message digest using a hashing algorithm with security strength equal or greater than SHA-2.”
“Technical outcome – The health IT must be able to verify, in accordance with a hashing algorithm with security strength equal or greater than SHA-2, that information has not been altered or changed in any way.”
Under the clarification section:
"
If you look a the bolded portion, it seems that the requirement states that you need to be able to use SHA2, but it doesn’t need to force the clinician to use it. I’m also interpreting that you don’t need to go back and apply it retroactively to older messages.