I was reading an article on new hipaa rules and one of them is to ensure that electronic health information is encrypted and cannot be accessed if lost or stolen. I think this refers to having the actual computer you are using stolen, which a native openemr office installation would not seem to meet. I think I did figure out a way to do that, and I wonder what the community thinks. I used Truecrypt to make an encrypted file on the hard drive that when mounted shows up with its own drive letter. I mounted it as drive N and put the entire xampp windows directory in it. I then used xampp control to run MySQL and apache from the N drive. You can then sign on as usual. This way if the computer is unplugged and stolen all patient information sits encrypted on the hard drive and is not accessible unless the N drive is mounted by truecrypt. I believe this meets the requirement of encryption at rest. If so, then next I need to work on the requirement for encryption for transmission for eventual patient portals and lab interface. Any comments would help.
That does meet the requirement. Patient Portals and Lab Interfaces are done by enabling HTTPS:// (SSL in apache, typically) which takes care of the transmission encryption.
In the Firefox browser, Options->Advanced->Encryption, 2 different protocols are chosen by default. See attachment. Does this mean that until HTTPS has been enabled, SSL will not be deployed?
SSL 3.0 and TLS 1.0 are older protocols with vulnerabilities. http://www.kb.cert.org/vuls/id/864643
What that means is do you want to allow Firefox to connect to sites that haven’t been properly upgraded.
By the way, under Linux you can use “encfs” to encrypt one or more specific directories which are then accessed as mounted volumes. Cryptkeeper is one handy GUI to manage that. The advantage over Truecrypt is that you’re using space as needed, you don’t have to pre-allocate a volume just for encryption.
The instruction to make FireFox a bit more secure are short and concise.
Where can these instructions be implemented in the WIKI pages? I tried to find “a best spot” but did not find anything on Browser security in general.
I remember from long ago Forum discussion, there were more settings to make FireFox a great browser for OpenEMR, about the same steps but different input for different object.
Just remember it doesn’t matter what settings are enabled in your browser, unless Apache has also been upgraded to provide stronger encryption protocols on the server side as well.