Core Infrastructure Fund - opportunity for funding strengthening digital security and data protection in OpenMRS

Hello,

I am Maciej Neumann and I am the Foundation Leader of SolDevelo Social Impact, foundation created by SolDevelo. I work with Jakub Sławiński on various projects, that want to use technology for creating something beneficial for the society. We know that one of the best ways we can do that is by helping OpenMRS. SolDevelo collaborates with this project for quite some time now and going to do that still in the future - especially now, thanks to grant from Digital Square for OpenSync 2.0.

We found another opportunity for funding, that could be very helpful for OpenMRS. Open Technology Fund created by Radio Free Asia and Broadcasting Board of Governors announced “Core Infrastructure Fund”:

https://www.opentech.fund/requests/core-infrastructure-fund

Open Technology Fund is focused on issues of access, privacy, security and awareness. Core Infrastructure Fund was created to “fortify the foundational components of demonstrably important technology relied upon by people in repressive countries” and to “strengthen internet freedom and digital security”.

We think that we could use this fund to help OpenMRS project with digital privacy and data protection issues. Especially now, because of new law that comes into effect it European Union (GDPR). About two years ago students from University of New York Computer Science created a report about security in OpenMRS.

We could use this opportunity to address issues pointed out in this report and do complete overhaul of data protection in OpenMRS.

Core Infrastructure Fund offers financial help from 5.000$, up to even 300.000$. Deadline for applying is 23:59, 30th June, so we have some time.

Open Technology Fund has a very specialized mission that they want to accomplished with their money, so besides technical description, we would have to emphasize in our proposal, how strengthening the security of medical data base would help people in repressive countries (for example, how protecting HIV/AIDS medical records can potentially help sexual minorities). If we write this proposal in a right way, we think there is a good chance for us to get this fund.

We would like to propose to apply for this grant as a consortia of three institutions:

-OpenMRS, who would do the audit of security in the OpenMRS and choose the privacy and security strategy for the project

-SolDevelo, who would do all the technical implementation of the strategy (programming etc.)

-SolDevelo Social Impact Foundation, who would coordinate the project and do other, more minor things (meeting planning, marketing etc.)

Of course this is only the initial proposition, we can always discuss it.

I would like to hear your opinions and ask, how would you envision digital security overhaul in OpenMRS?

In this proposal we have to emphasize how stronger data protection for OpenMRS will help people in repressive countries, so I also want to ask you about some examples and cases.

This is awesome!

Of late, am seeing an increasing number of OpenMRS security vulnerability reports from automated tools and individuals/groups. Therefore, addressing these through such a grant is a step in the right direction.

Here is the list of topics, that we have to describe in our proposal:

a) What is your idea?

-Describe it

-What are hoped for goals or longer term effects of the project? (“We want to know how you think the world could be, what larger purpose this project is a part of, and/or the bigger target you aiming for. Bulleted lists are good.”)

b)How will you do it?

-Describe how (“Briefly and clearly list key milestones, objectives, and/or activities briefly. These should be specific, measurable, attainable, realistic, and time-relatable. Bulleted lists are ideal.”)

c)Who is this projects for?

-Describe them (“In other words, who are the people benefiting or affected most by this effort and how well do you know them?”)

-What community currently exists around this project?

d)Why is this project needed?

-Describe why (“Describe one or more of the following: the specific needs of the group(s) being met, how it uniquely solves a known issue or improve upon existing solutions, and/or what knowledge, research, technology, or community gap the proposed effort is intending to fill. If the effort targets a specific group of people, note any research or analysis you have done to ensure the effort serves the target population.”)

-Similar/Complementary efforts

Any help from community would be very appreciated. If you have ideas about how to improve security in OpenMRS or have some examples how data protection would help a specific group of people - write it down in the reply.

We want to create a first rough draft or proposal in the next week and you can help create it.

@isears and @teleivo did you see this?

@dkayiwa thanks for alerting me to this topic. OpenMRS could definitely use this!

I think cleaning up and reorganizing the OpenMRS privileges system is the kind of thing that could really benefit from the undivided attention of a dev team. Specifically, we should probably break up the “Privilege Level: Full” that most users inherit into more granular, role-appropriate privileges. Because that would affect so many parts of OpenMRS, it would require a lot of testing to make sure it doesn’t break existing functionality.

@darius may have a better idea of how pertinent this is to what’s being proposed. (We discussed this issue briefly while patching the last bug reported to the security mailing list)

i took the opportunity to write up some responses in a document that we can edit (I based it on what was already on talk, as well as the NY report). please feel free to edit/add/modify…

the document should be open. THANKS for everyones help with this. my time frames are 'made up!.. and i did include confidentiality, but perhaps we shouldnt include that, as well as a focus on generic guidance for implementers.

Thank you @terry for your work, as you can probably see now, I modified you documented to include all the topics, that we have to give in our proposal. I also add and change some things to show, how better security and privacy can help the specific groups of people - emphasizing the social impact of this projects should help us during applications reviews. Of course most of this is just a first, rough draft, but I think this is a good starting point, “Who is this project for?” part of proposal probably won’t change that much.

I will work further on this tomorrow and in Wednesday I have a meeting with @jslawinski, who will help me with some technical aspects of this.

I contacted @darius on e-mail about this, but unfortunately he is on vacations for next two weeks. He declared help after his comeback, so if we will be accepted, I hope he can help us with second, more detailed proposal.

“How will you do it?” is right now the most important topic, so any help form the community will be very appreciated.

nice changes;i put some comments in suggest mode so you can see them and decide whether you want to take them or not. thanks again. when is this due?

We have to send this no later than 30th June, 23:59 (11:59PM) GMT.

Right now we have included in our proposal the most of recommendations from executive summary of NY report (passwords expiration, timeouts etc.). Although, there are even more recommendations about security in OpenMRS written further down in the report. What do you think about them?

‘DWR’ in the WebApp Source Code This part of the Source code utilizes AJAX DWR to translate between Java and more webfriendly JavaScript. It’s important to validate all inputs while using JavaScript, which the WebApp seems to do reasonably well. Still, JavaScript is notoriously insecure, and because of this, parts of the WebApp may remain exploitable, even after good input validation. My recommendation would be to try to find an alternative way to support the functionality that DWR provides without running the risk of JavaScript vulnerabilities.

Extra Security at the Controller Level for the WebApp The controller code in the WebApp source allows (necessarily) for a large amount of access to the database layer of the OpenMRS application. While user privileges attempt to mediate between the interactions between the WebApp and the database, I believe this part of the code would benefit from additional security controls, especially for installations with an internet connection. Perhaps something along the lines of encryption between the database and WebApp layers to deter anyone attempting to access information as it travels over the network would be a reasonable start.

Encrypt Data Export Data export allow the admin to download the patient data into a csv file. This file is downloaded without any encryption and it could be easily opened by anyone, if the admin loses it. This is totally against the Confidentiality part. It is very important to encrypt the file that has very sensitive information about the patients. The easier manual way to encrypt the file would be compressing it first and then adding a password on the compressed file. This would not allow the people to view the patient data if they don’t know the password.

Enforce installation rules with the intent of keeping OpenMRS binaries secure OpenMRS is a big project with several parts, layers, and packages that generate a great amount of binary files (.class) and database data. For security reason, the access for edition or deletion of these files must be controlled. It can be done by the administrator of the system where OpenMRS is installed by restricting access to some directories. In case of UNIX system, commands like chmod and chown could do the job. Windows and Mac OS systems also have similar commands. The permission modifications may assure that just the root user (superuser) or the owner of the files can have access to them. When a new compilation is needed, just these user will have sufficient rights for placing the binaries where it is supposed to run. A development environment also will be needed for this reason

Are these resources of any value?

https://www.securityfocus.com/bid/70664/discuss

https://wiki.openmrs.org/display/docs/Security+and+Access+Control

Thank you Daniel!

I’ve added fixing issues from the Security Focus to the “to-do” list in proposal. Last link is from 2013 though - I’m not sure what’s changed and what not during this time.

Security focus bugs should definitely be revisited, but I believe the vast majority have been fixed in the latest versions of OpenMRS. Many of the html/JS injection bugs are tracked in this jira issue:

I want to thank everyone for their help and work. Tomorrow I have another meeting with @jslawinski, and we will do last corrections and the final review of the proposal. If everything will be ok, we will send it to the Open Technology Fund. As soon as we get any information or feedback from the Fund, I’ll post the news here immediately.

If you have any last comments or suggestions - there is some time left, so we can still add or change something.

can you share the final proposal that was submitted? thanks!

Final proposal that was submitted was nearly identical to the document we’ve edited together in Google Docs. Here is e-mail, that we’ve got after sending the proposal (although in this reply they’ve skipped some of the paragraphs from proposal, like “Who is this project for?”)

Dear OpenMRS SolDevelo SolDevelo Social Impact Foundation,

We appreciate your Concept Note submission to the Open Technology Fund. We will review and reply to your submission as quickly as possible. Our reply will have the next steps for your Concept Note. You can find more information about our support options, review process and selection criteria on our website: OTF Applicant Guidebook - OTF Application Guidebook.

If you have any questions, please email us at info@opentechfund.org.

Project name: Strengthening security of medical data in OpenMRS Duration: 12 months Amount: 150000 Contact name: OpenMRS SolDevelo SolDevelo Social Impact Foundation Contact email: mneumann@soldevelofoundation.org [1]

Descriptors: Status: People Use It. (Production) Focus: Privacy enhancement, Security from danger or threat online Objective(s): Research, Software or hardware development, Testing, Training Beneficiaries: General public, Women, Youth, Sexual minorities, Ethnic minorities, Activists, Advocacy groups/NGOs, Academia, Technologists, Entrepreneurs, Government Addressed problems: Other Technology attributes: User interface/experience, Anonymity, Application deployment, Web application, Web API/Mobile application (serverside), Cryptography, Dependency integration, Sensitive data Region: Global

Project description: The Open Medical Record System (OpenMRS) is an open source health information technology system. It is the most used medical record system platform in developing countries. Created in 2004, OpenMRS helps health care providers around the world, including South Africa, Kenya, Rwanda, Lesotho, Zimbabwe, Mozambique, Uganda, Tanzania, Haiti, India, China, United States, Pakistan, the Philippines, and many other places. We aim to ensure that OpenMRS meets the highest standards for security and privacy - topics especially important for personal health information, which constitute a particularly sensitive type of data. Strengthening security and privacy in OpenMRS is critical, given the ubiquitous use of this platform. Especially because of the disparate nature of privacy and security in the countries that have implemented our system. With an appropriate data protection overhaul, we can help guarantee that everyone who uses OpenMRS, can increase safety of patients, communities and health care providers. Our plan includes the evaluate, review and development of mitigation plans of previously identified security vulnerabilities and privacy concerns. In addition, we will review the European Union data protection regulation (GDPR) and Health Insurance Portability and Accountability Act (HIPAA) and develop plans for OpenMRS to be fully compliant with this laws. Our final goal is to assess potential to increase privacy and security of information by using appropriate tooling and creating universal framework for protection of medical data. Besides that, we want to educate enormous community that is using OpenMRS in topics of confidentiality, privacy and security of data. We don’t want to do this security overhaul only for OpenMRS - framework of data protection we want to work out in this project, along with some of the educational materials, could be used by various projects, especially focused on health issues.

Project how:

1. Milestone 1: Analyze current state and adjust further work plan [estimated effort: 50 man-days (MD)]

• [40 MD] Conduct an overarching review of current/past community based posts and reports about security, privacy and confidentiality concerns to identify any potential areas that have not been identified yet
• [10 MD] Identify community members/organizations that are willing/able to assist in the review, development of mitigation plans, and implementation of mitigation processes and code

1. Milestone 2: Implement previously identified fixes/improvements [210 MD]

• [10 MD] Implement a password expiration, blacklist and password quality policy
• [10 MD] Implement session timeouts and account locking with repeated login failures
• [30 MD] Create generic, secure, configurable and extensible auditing system
• [20 MD] Enhance administrative responsibilities to support divisions across multiple administrators
• [20 MD] Encrypt and/or secure the most important database tables
• [20 MD] Implement encrypted data exports
• [20 MD] Implement extra security at the controller level for the WebApp
• [20 MD] Enforce installation rules to secure OpenMRS binaries
• [40 MD] Secure AJAX DWR in WebApp to fix possible JavaScript vulnerabilities

1. Milestone 3: Produce high-quality guidance materials and educate community in privacy/security/confidentiality topics [170 MD]

• [50 MD] Develop with the community generic privacy, security and confidentiality guidance materials that can be publicly published with the goal of increasing capacity at the local and national levels around these topics
• [20 MD] Create an extensive security guidance in the implementers documentation and make sure that the community will be well educated in this topic
• [100 MD] Prepare and conduct privacy and security trainings in form of webinars and e-learning courses for healthcare providers that are using OpenMRS

Project who:

• OpenMRS system works in over 3.000 medical sites for about 8.7 millions patients all over the world.
• OpenMRS was created as a response to the challenges presented by pandemics of epic proportions, as over 40 million people are infected with diseases such as HIV/AIDS, multi-drug resistant tuberculosis or malaria. Ultimately, our goal is to ensure adequate and appropriate protection to the patients, communities, and healthcare workers that document medical care using OpenMRS.
• OpenMRS initially developed to provide documentation and improvement of care for patients with HIV/AIDS. Currently, OpenMRS is used in multiple care settings, and collects information that is sensitive as it includes PII as well as PHI. Ensuring appropriate security and protection to the patients, communities, and health care providers is a critical component to use of the software.
• OpenMRS software is implemented in over 64 countries, such as South Africa, Rwanda, Lesotho, Zimbabwe, Tanzania, Haiti, India, China, United States, Pakistan, the Philippines and many other places. You can see them all on this site: https://atlas.openmrs.org
• Uganda, Kenya and Mozambique Ministries of Health have adopted OpenMRS as their national electronic medical record (EMR).
• Some of the places that use OpenMRS are on the list of not-free and partially free countries created by Freedom House. That is why it’s especially important to guarantee the safety of the patients data in this regions: Democracy in Crisis
• The annual report for specific details about our users, as well our developer community. https://openmrs.org/wp-content/uploads/2018/03/2017-OpenMRS-Annual-Report.pdf
• This project is also for other developers of software, especially centered around medical issues. They could use our framework to implement security and privacy solutions in their own projects

Project why:

• The OpenMRS developer and implementer community are well aware of ongoing privacy and security issues, but we have had limited resources (fiscal, as well as human) to address these concerns. The recent implementation of GDPR has highlighted the importance of ensuring appropriate privacy and security within our software, as well as the need to generate potential guidance to end users about security and confidentiality
• Health care provides from developing countries deserve the best protection of their medical data, that is possible. The confidentiality between them and the patients is a one of a key principles of healthcare since the Hippocratic Oath. In the new digital age, we have to be sure, that this values are still intact. This is not problem only for the developing countries (The National Health Service of Great Britain had leaks of information from their medical records about 2 years ago), but it’s especially important for them: people with certain diseases (like HIV) can be discriminated and persecuted because of them. That is why this project is so needed.
• Electronic health records improve quality of care, reduce cost, enhance patient mobility, are more reliable, and enable evidence-based medicine. Allowing OpenMRS to be available in more countries, by being compatible with laws such as GDPR and HIPAA, will bring better healthcare to even more patients.

Other information:

• https://openmrs.org
• https://twitter.com/openmrs

Thanks again, The OTF Team

When we will get another e-mail from them, I’ll paste it here as soon as possible

Once submitted, applications including concept notes, are reviewed by the OTF team. (Up to a month.)

We’ve submitted our proposal on 27 June - we should get feedback this week. If not, I’ll send an e-mail to their team on Friday.

Unfortunately, I have a bad news

Dear OpenMRS SolDevelo SolDevelo Social Impact Foundation,

We very much appreciate your submission to the Open Technology Fund for consideration. Upon evaluation of your submission, we have decided that OTF is not able to provide financial support for your project at this time.

Activities described within this project do not clearly fit within OTF’s remit, which aims to advance research into repressive Internet interference on modern communication networks and the methodologies and technologies to best circumvent it, foster development of technologies that circumvent repressive censorship and surveillance or increase communication access and safety, and enable widespread implementation of solutions in an effort to free people from repressive Internet interference. However, if the scope of your project should change and fits within these goals and principles, we encourage you to reapply.

If you have any questions or comments, please reply to this email with your input. We very much welcome a continued discussion. We also encourage you to visit our proposal guide on OTF’s website. There we list considerations in our evaluation process. The link: OTF Applicant Guidebook - OTF Application Guidebook

As a resource to help you find additional funding, we have compiled a list of alternate sources of support on our website. The link: https://opentech.fund/apply/alternative-sources-support

We encourage you to sign up for our low traffic announce email list. The list is limited to providing upcoming submission deadlines for OTF and other relevant funders on a monthly basis. Please send a message with subscribe in the subject line. The link: Redirecting to Google Groups

Again, we cannot express enough our appreciation for your submission and your patience while we completed our evaluation process.

Kind regards, Wei Fan

As you can see, our proposal didn’t fit into OTF mission and values (more Open Technology Fund itself, than Core Infrastructure Fund), which are very specific. We’ve tried to write the whole submission in the way, that would emphasize the privacy and safety issues and how our project could help protect data of people in repressive countries, but clearly this still wasn’t close enough to their vision.

I’m going to send e-mail to them with some questions about our proposal and OTF in Wednesday. If you also want to ask them about something, write it down in the reply, and I’ll add it to the e-mail.

Sorry to hear about this!

I like the fact that they fully explained the reason as to why.

@teleivo this is the sort of response that i would expect from DIAL

That’s really unfortunate. Thank you so much for all your effort to put this together! You did a really great job pulling it all together for submission. Soon enough one will come up with us awarded!