Digital Square just released and RFA about security improvements.
I believe it would be a good fit for OpenMRS. Is there anyone interested in such opportunity?
4 Likes
@grace is OpenMRS interested in such investment? Maybe we should go into HIPAA direction?
Yes we are! 
We’ve been discussing in a side thread; let me share here what @ibacher thought we could pursue:
The initial thing that occurs to me is trying to generate SBOMs for an OpenMRS distribution (building on the distribution-creating tools we now have for O3). Ideally that would incorporate:
- SBOMs for OpenMRS Core
- SBOMs for backend modules
- SBOMs for frontend modules
- SBOMs for software on the Docker images (basically Tomcat / Java or Nginx)
Alternatively:
Implement CI/CD pathways for securely scanning all Docker images we publish.
The biggest challenge I forsee is the human-resourcing. It took us months to find an interested + eligible CyberSecurity Fellow on a similar but much smaller grant last year. Does SolDevelo want to work on this?
Re. Hippa direction: What in particular did you have in mind?
1 Like
Yes, we are considering various options here, since we have both experience and resources:
- https://soldevelo.com/blog/openimis-penetration-testing/
- https://soldevelo.com/blog/strengthening-openlmis-comprehensive-penetration-testing/
- https://soldevelo.com/blog/sast-dast-security-testing/
and everything gathered/described at: https://soldevelo.com/services/software-security-services/
Regarding HIPAA, it is a complex issue more related to organization processes/policies, but there is a lot that can be done on the OpenMRS side, as described by @ibacher at Implementing OpenMRS in the USA: HIPAA and downloading - #3 by ibacher
2 Likes