New hipaa rules

cverk wrote on Wednesday, June 05, 2013:

I was reading an article on new hipaa rules and one of them is to ensure that electronic health information is encrypted and cannot be accessed if lost or stolen. I think this refers to having the actual computer you are using stolen, which a native openemr office installation would not seem to meet. I think I did figure out a way to do that, and I wonder what the community thinks. I used Truecrypt to make an encrypted file on the hard drive that when mounted shows up with its own drive letter. I mounted it as drive N and put the entire xampp windows directory in it. I then used xampp control to run MySQL and apache from the N drive. You can then sign on as usual. This way if the computer is unplugged and stolen all patient information sits encrypted on the hard drive and is not accessible unless the N drive is mounted by truecrypt. I believe this meets the requirement of encryption at rest. If so, then next I need to work on the requirement for encryption for transmission for eventual patient portals and lab interface. Any comments would help.

tmccormi wrote on Thursday, June 06, 2013:

That does meet the requirement. Patient Portals and Lab Interfaces are done by enabling HTTPS:// (SSL in apache, typically) which takes care of the transmission encryption.

fsgl wrote on Friday, June 07, 2013:

In the Firefox browser, Options->Advanced->Encryption, 2 different protocols are chosen by default. See attachment. Does this mean that until HTTPS has been enabled, SSL will not be deployed?

yehster wrote on Friday, June 07, 2013:

SSL 3.0 and TLS 1.0 are older protocols with vulnerabilities.
http://www.kb.cert.org/vuls/id/864643
What that means is do you want to allow Firefox to connect to sites that haven’t been properly upgraded.

fsgl wrote on Saturday, June 08, 2013:

Thanks, Kevin, for the link. One more reason for me to use OpenEMR as a desktop application.

cmswest wrote on Friday, October 18, 2013:

here’s a quick guide on how to upgrade firefox:

http://crashmag.net/enable-tls-1-1-and-1-2-in-mozilla-firefox-24-0

fsgl wrote on Friday, October 18, 2013:

Thanks for the link, Stephen.

sunsetsystems wrote on Friday, October 18, 2013:

By the way, under Linux you can use “encfs” to encrypt one or more specific directories which are then accessed as mounted volumes. Cryptkeeper is one handy GUI to manage that. The advantage over Truecrypt is that you’re using space as needed, you don’t have to pre-allocate a volume just for encryption.

Rod
http://www.sunsetsystems.com/

blankev wrote on Friday, October 18, 2013:

The instruction to make FireFox a bit more secure are short and concise.

Where can these instructions be implemented in the WIKI pages? I tried to find “a best spot” but did not find anything on Browser security in general.

I remember from long ago Forum discussion, there were more settings to make FireFox a great browser for OpenEMR, about the same steps but different input for different object.

blankev wrote on Friday, October 18, 2013:

yehster wrote on Friday, October 18, 2013:

Just remember it doesn’t matter what settings are enabled in your browser, unless Apache has also been upgraded to provide stronger encryption protocols on the server side as well.

cmswest wrote on Friday, October 18, 2013:

if i understand this correctly, if you tweak security.tls.version.min you’ll know if you need to tighten apache