Yes, we are considering various options here, since we have both experience and resources:
- https://soldevelo.com/blog/openimis-penetration-testing/
- https://soldevelo.com/blog/strengthening-openlmis-comprehensive-penetration-testing/
- https://soldevelo.com/blog/sast-dast-security-testing/
and everything gathered/described at: https://soldevelo.com/services/software-security-services/
Regarding HIPAA, it is a complex issue more related to organization processes/policies, but there is a lot that can be done on the OpenMRS side, as described by @ibacher at Implementing OpenMRS in the USA: HIPAA and downloading - #3 by ibacher