Patient records encryption

avantsys wrote on Thursday, March 08, 2012:

Hello everyone.

We are a greek start-up company developing a cloud-based medical records storage based on OpenEMR, which will be directed to doctors, clinics and patients in Greece and we need some advice on the encryption of the patient records. We have tried to use the instructions given in the OpenEMR wiki page http://open-emr.org/wiki/index.php/Encryption_and_Decryption_of_Documents, but it does not seem like the patient records are really encrypted at all. If someone could provide more detailed instructions (preferably on implementing SHA-2 encryption), we would greatly appreciate it, as it could help us determine whether we have done something wrong in the settings.

Thank you in advance.

clegs907 wrote on Thursday, March 08, 2012:

I would suggest to implement SSL on your apache.

voipbound wrote on Thursday, March 08, 2012:

Do you guys have good detail instructions on how to implement this.  I have tried using the SSL instructions in OpenEMR and on the web.  Neither worked for me.  I am on Ubuntu 10.0.4, OpenEMR 4.1 v7.

bradymiller wrote on Friday, March 09, 2012:

Hi,

Check out the OpenEMR Appliance instructions on how SSL was set up (which uses ubuntu server):
http://www.bradymd.com/appliance/manual8/#__RefHeading__5646_695817034 (section:Configure PHP and Apache (with SSL))
http://www.bradymd.com/appliance/manual8/#__RefHeading__5652_695817034 (section Configure Firewall)

-brady

avantsys wrote on Wednesday, March 28, 2012:

Brady,

Thank you for your reply. However, there are a few differences I need to point out: Enabling SSL on our Apache server is just one of the steps we are going to take. For added security, we need to encrypt the patient records themselves, as well as any accompanying document uploaded by the users. So far, we haven’t had any real indication that the encryption implementation really does anything. Not to mention that the Triple DES algorithm is inadequate, to say the least. We need to encrypt the patients’ data using AES 256 encryption. Are there any detailed instructions on how to do this? Furthermore, we have opted to use Debian 6 on our server and not Ubuntu.

bradymiller wrote on Wednesday, March 28, 2012:

Hi,

The document encryption feature currently available in OpenEMR (which you linked in your first post), simply allows the user to download an encrypted form of the document and also allows the user to upload an encrypted document, which is then stored in OpenEMR in an unencrypted form. If your desire is to encrypt all patient data in the database and the patient documents, then perhaps an OS based encryption method should be used (ie. encrypt the entire drive). Rec. researching tools for this on Debian 6 such as this:
http://madduck.net/docs/cryptdisk/

-brady
OpenEMR

jwallace00 wrote on Wednesday, March 28, 2012:

As noted above,  SSL is a MUST but I think what you also need is an encrypted filesystem.   There are means to encrypt filesystems that are quite robust.   My personal favorite is truecrypt and it works in windows and linux environments.