Final proposal that was submitted was nearly identical to the document we’ve edited together in Google Docs. Here is e-mail, that we’ve got after sending the proposal (although in this reply they’ve skipped some of the paragraphs from proposal, like “Who is this project for?”)
Dear OpenMRS SolDevelo SolDevelo Social Impact Foundation,
We appreciate your Concept Note submission to the Open Technology Fund. We will review and reply to your submission as quickly as possible. Our reply will have the next steps for your Concept Note. You can find more information about our support options, review process and selection criteria on our website: OTF Applicant Guidebook - OTF Application Guidebook.
If you have any questions, please email us at info@opentechfund.org.
Project name: Strengthening security of medical data in OpenMRS Duration: 12 months Amount: 150000 Contact name: OpenMRS SolDevelo SolDevelo Social Impact Foundation Contact email: mneumann@soldevelofoundation.org [1]
Descriptors: Status: People Use It. (Production) Focus: Privacy enhancement, Security from danger or threat online Objective(s): Research, Software or hardware development, Testing, Training Beneficiaries: General public, Women, Youth, Sexual minorities, Ethnic minorities, Activists, Advocacy groups/NGOs, Academia, Technologists, Entrepreneurs, Government Addressed problems: Other Technology attributes: User interface/experience, Anonymity, Application deployment, Web application, Web API/Mobile application (serverside), Cryptography, Dependency integration, Sensitive data Region: Global
Project description: The Open Medical Record System (OpenMRS) is an open source health information technology system. It is the most used medical record system platform in developing countries. Created in 2004, OpenMRS helps health care providers around the world, including South Africa, Kenya, Rwanda, Lesotho, Zimbabwe, Mozambique, Uganda, Tanzania, Haiti, India, China, United States, Pakistan, the Philippines, and many other places. We aim to ensure that OpenMRS meets the highest standards for security and privacy - topics especially important for personal health information, which constitute a particularly sensitive type of data. Strengthening security and privacy in OpenMRS is critical, given the ubiquitous use of this platform. Especially because of the disparate nature of privacy and security in the countries that have implemented our system. With an appropriate data protection overhaul, we can help guarantee that everyone who uses OpenMRS, can increase safety of patients, communities and health care providers. Our plan includes the evaluate, review and development of mitigation plans of previously identified security vulnerabilities and privacy concerns. In addition, we will review the European Union data protection regulation (GDPR) and Health Insurance Portability and Accountability Act (HIPAA) and develop plans for OpenMRS to be fully compliant with this laws. Our final goal is to assess potential to increase privacy and security of information by using appropriate tooling and creating universal framework for protection of medical data. Besides that, we want to educate enormous community that is using OpenMRS in topics of confidentiality, privacy and security of data. We don’t want to do this security overhaul only for OpenMRS - framework of data protection we want to work out in this project, along with some of the educational materials, could be used by various projects, especially focused on health issues.
Project how:
- Milestone 1: Analyze current state and adjust further work plan [estimated effort: 50 man-days (MD)]
- [40 MD] Conduct an overarching review of current/past community based posts and reports about security, privacy and confidentiality concerns to identify any potential areas that have not been identified yet
- [10 MD] Identify community members/organizations that are willing/able to assist in the review, development of mitigation plans, and implementation of mitigation processes and code
- Milestone 2: Implement previously identified fixes/improvements [210 MD]
- [10 MD] Implement a password expiration, blacklist and password quality policy
- [10 MD] Implement session timeouts and account locking with repeated login failures
- [30 MD] Create generic, secure, configurable and extensible auditing system
- [20 MD] Enhance administrative responsibilities to support divisions across multiple administrators
- [20 MD] Encrypt and/or secure the most important database tables
- [20 MD] Implement encrypted data exports
- [20 MD] Implement extra security at the controller level for the WebApp
- [20 MD] Enforce installation rules to secure OpenMRS binaries
- [40 MD] Secure AJAX DWR in WebApp to fix possible JavaScript vulnerabilities
- Milestone 3: Produce high-quality guidance materials and educate community in privacy/security/confidentiality topics [170 MD]
- [50 MD] Develop with the community generic privacy, security and confidentiality guidance materials that can be publicly published with the goal of increasing capacity at the local and national levels around these topics
- [20 MD] Create an extensive security guidance in the implementers documentation and make sure that the community will be well educated in this topic
- [100 MD] Prepare and conduct privacy and security trainings in form of webinars and e-learning courses for healthcare providers that are using OpenMRS
Project who:
- OpenMRS system works in over 3.000 medical sites for about 8.7 millions patients all over the world.
- OpenMRS was created as a response to the challenges presented by pandemics of epic proportions, as over 40 million people are infected with diseases such as HIV/AIDS, multi-drug resistant tuberculosis or malaria. Ultimately, our goal is to ensure adequate and appropriate protection to the patients, communities, and healthcare workers that document medical care using OpenMRS.
- OpenMRS initially developed to provide documentation and improvement of care for patients with HIV/AIDS. Currently, OpenMRS is used in multiple care settings, and collects information that is sensitive as it includes PII as well as PHI. Ensuring appropriate security and protection to the patients, communities, and health care providers is a critical component to use of the software.
- OpenMRS software is implemented in over 64 countries, such as South Africa, Rwanda, Lesotho, Zimbabwe, Tanzania, Haiti, India, China, United States, Pakistan, the Philippines and many other places. You can see them all on this site: https://atlas.openmrs.org
- Uganda, Kenya and Mozambique Ministries of Health have adopted OpenMRS as their national electronic medical record (EMR).
- Some of the places that use OpenMRS are on the list of not-free and partially free countries created by Freedom House. That is why it’s especially important to guarantee the safety of the patients data in this regions: Democracy in Crisis
- The annual report for specific details about our users, as well our developer community. https://openmrs.org/wp-content/uploads/2018/03/2017-OpenMRS-Annual-Report.pdf
- This project is also for other developers of software, especially centered around medical issues. They could use our framework to implement security and privacy solutions in their own projects
Project why:
- The OpenMRS developer and implementer community are well aware of ongoing privacy and security issues, but we have had limited resources (fiscal, as well as human) to address these concerns. The recent implementation of GDPR has highlighted the importance of ensuring appropriate privacy and security within our software, as well as the need to generate potential guidance to end users about security and confidentiality
- Health care provides from developing countries deserve the best protection of their medical data, that is possible. The confidentiality between them and the patients is a one of a key principles of healthcare since the Hippocratic Oath. In the new digital age, we have to be sure, that this values are still intact. This is not problem only for the developing countries (The National Health Service of Great Britain had leaks of information from their medical records about 2 years ago), but it’s especially important for them: people with certain diseases (like HIV) can be discriminated and persecuted because of them. That is why this project is so needed.
- Electronic health records improve quality of care, reduce cost, enhance patient mobility, are more reliable, and enable evidence-based medicine. Allowing OpenMRS to be available in more countries, by being compatible with laws such as GDPR and HIPAA, will bring better healthcare to even more patients.
Other information:
Thanks again, The OTF Team
When we will get another e-mail from them, I’ll paste it here as soon as possible