Security in OpenEMR 3.2

wyattunger wrote on Tuesday, February 22, 2011:

Hi,

I am a medical student in Arizona involved in setting up an EMR system for a series of free clinics run by medical students at my school and staffed by physicians on a volunteer basis.  I have OpenEMR up and running for test purposes and believe it suits our needs.  I am interested in rolling it out in a production environment but am concerned about security issues when deploying it on a remotely hosted server.  Can anybody point me to some helpful advice regarding setting up OpenEMR in a secure, remotely hosted environment?

Thanks,

Wyatt Unger

bradymiller wrote on Tuesday, February 22, 2011:

hi,
If use OpenEMR over internet, recommend only allowing SSL (https) transmission utilizing ‘apache client certificate authentication’. Then you basically leverage Apache (much more secure than OpenEMR) to secure OpenEMR. Also important to ensure the remote host provider is itself secure.
-brady

wyattunger wrote on Tuesday, February 22, 2011:

Thanks for the reply.  I was wondering if the SSL transmission was sufficient.  Can you recommend any particular hosts?  Do you recommend hosting as a virtual appliance, or hosting on a VPS?

Thanks,

Wyatt Unger

dwr1975 wrote on Tuesday, April 02, 2013:

I think that this is a pretty good application for a small clinic if used only on an Intranet. I wouldn’t use it live (Online), it is chock full of security flaws and most of the code used is deprecated (it has been superseded)
I am just an amateur at scripting php, but I have found many, many, many security holes, I wish I would have written them down…
I have changed a few (5 - the lab results print and report, the new patient report, the SOAP report, and the encounter form) forms to honor line breaks when viewing them… I didn’t check for flaws as we are only testing this for use on our clinic’s Intranet…

dwr1975 wrote on Tuesday, April 02, 2013:

I have put these form up for download at:
https://sourceforge.net/projects/addedlinebreaks/

bradymiller wrote on Wednesday, April 03, 2013:

Hi Dave,

Can you submit this via git/github; here’s a tutorial for setting up a git openemr repo and submitting code:
http://www.open-emr.org/wiki/index.php/Git_for_dummies

To honor the line breaks would be a very useful contribution

Regarding security, here are some pertinent wiki page:
http://www.open-emr.org/wiki/index.php/Securing_OpenEMR
http://www.open-emr.org/wiki/index.php/Codebase_Security
http://www.open-emr.org/wiki/index.php/Security_Alert_Fixes

-brady
OpenEMR

dwr1975 wrote on Wednesday, April 03, 2013:

i created an acct. with github, but learned this:
published on December 11, 2012
https://github.com/blog/1302-goodbye-uploads

dwr1975 wrote on Wednesday, April 03, 2013:

I DID ‘push origin’ with the files that I have updated, I hope that worked…
can you let me know if I did it properly…?

yehster wrote on Wednesday, April 03, 2013:

What is your github account name so we can find your repository and take a look?
Or post a link to your actual repository….
Here is mine as an example.
https://github.com/yehster/openemr

dwr1975 wrote on Wednesday, April 03, 2013:

yeah… sorry, I must’ve done something incorrectly. The files I wanted to ‘push’ are not showing up. I will try to check what I did and correct that…

yehster wrote on Wednesday, April 03, 2013:

Before you “push” two useful commands you can use to try and see what git is tracking on your local repository are “log” and “diff”

git log

will show you the descriptions of the most recent commits

git diff

will show you uncommitted code changes
So if the changes you are trying to show up at this point, it means you aren’t ready to push.  You need to do an add and commit.

git diff origin

should show you changes on your local system that are ready to be shared out.

dwr1975 wrote on Thursday, April 04, 2013:

Okay, I followed your advice, yehster, and was able to “push” the files that I made changes to.
My github account is - https://github.com/dwr1975/openemr - but the changes do not show up there for some reason, I may have done something incorrectly again.
You have to go to - https://github.com/dwr1975/openemr/tree/line-breaks to see the changes that I made…

yehster wrote on Thursday, April 04, 2013:

dwr1975/openemr is never going to directly show your specific changes when you do things correctly because it shows the master branch by default from that page. You want your master branch to always only contain code that has been officially incorporated into the project.  Customization/new code should go into a branch, as you have done.

Everything you have done with git looks correct at this point.

fsgl wrote on Friday, April 12, 2013:

Hi Wyatt,

You can run OpenEMR offline. I stumbled upon this accidentally when I was writing progress notes and noticed that I was not connected to the Internet. I presume that you don’t need to bill insurance companies because you are doing pro bono work. Even if you do bill, the downloaded x12 file from your browser can be generated offline and later you can send the x12 file to the clearinghouse after you have logged off OpenEMR.

I think you realize that being a free clinic does not exempt you from compliance with HIPAA and Arizona confidentialty laws, so protection of the medical record is of paramount importance.

If physicians from different clinics need to exchange information, the safest way is the old fashioned way, namely, the telephone.

Avoid enabling patient portals like the Bubonic Plague, if you don’t want a gigantic mess on your hands. Indigent patients are generally happy to get free care and don’t fuss about access to their medical records.

Follow the recommendations from Securing OpenEMR if you have not done it already. SSL transmission is the default if you use Firefox.

bradymiller wrote on Sunday, April 28, 2013:

Hi Dave,

Not sure if you are still working on this, but cleaned up your branch/commits a bit and posted them here:


(the first commit is your stuff)

Would be nice to get full new line support on the forms.

-brady
OpenEMR