yehster wrote on Saturday, October 29, 2011:
Brady,
A read-only portal is extremely useful to a provider trying to achieve meaningful use. It would help meet the requirement of having clinical summaries available for 50% of encounters available within 3 days. The alternative is printing at time of encounter,or snail mailing or emailing after the fact. Honestly, I think that having the clinical summary available at time of encounter serves the patient better than through a portal, but that’s pretty hard to achieve from a workflow standpoint.
The risk of leaking protected health information is is “non-zero” no matter what you do since the goal is presenting that information to a patient through the internet.
What a read-only approach protects you from is for a malicious user from affecting the workflow/data/information on your main OpenEMR instance if the portal were breached. As an example.if the portal has read/write access to MySQL Suppose a patient’s user id/password were compromised. An attacker could wipe out the patient’s demographic information, or he could screw up your calendar by posting appointments in every slot. The worst potential vulnerability would be if a SQL injection attack could make it back from the portal to the main server.
If the portal is read/only with respect to the main server, none of those potential vulnerabilities can mess up your onsite system.
Since the appointment functionality is broken for now anyway, you don’t lose that with a read-only instance. Also if one chose MySQL replication as the synchronization method, one could decide later to do bi-directional replication for some data.
SSH tunnelling is not so complicated that it needs a “package” to setup and configure.
Under linux, all you do to establish a tunnel from the command line like this on Machine A:
ssh -N -u username@remote.host.ip -L 9999/127.0.0.1/3096
User authentication could be done by password or by public/private key pair.
Now at this point, the machine I issued the command from has access to the MySQL server running on remote.host.ip. However, instead of making reference to remote.host.ip directly, Machine A accesses the remote machine by addressing it as localhost:9999 (i.e. localhost on port 9999 instead of the standard MySQL port 3096).
I use putty on Windows which is a GUI rather than a command line program to do the same thing, but the concept is exactly the same.
If the offsite portal gets cracked at the “command level” all bets are off anyway. However, if the tunnels are setup so that the openemr instance logs into to the offsite portal, rather than the other way around, all of the authentication information would be distributed across the openemr instances rather than centrally located on ZH’s machine. The main thing that would allow an attacker to do in this case additional is to have access to the webserver of the openemr instance and/or issue SOAP commands. The attacker would need to break another layer of security before he could cause too much more damage.