U.S.A. clinic use and HIPAA compliance?

(TJ Prescott) #1

I am a doctor of chiropractic and I am looking for a flexible EHR for use in my Colorado, U.S.A. clinic. I am considering OpenEMR and OpenMRS. I prefer OpenMRS based on database and customization flexibility.

Can OpenMRS be used in a U.S.A clinic and can HIPAA complance be provided?

Per Wikipedia, OpenMRS: “There are five known OpenMRS deployments supporting clinical care in the US - three in Indianapolis, one in Los Angeles, and one in Maryland.” The names of the clinics are not provided. Can anyone provide me with the names of these U.S. clinics that are using OpenMRS? I would like to find out how they are meeting HIPAA security requirements. Thank you in advance for any replies.

TJ Prescott, DC PE

(tendo kiiza Martyn) #2

Thoughts cc @burke @janflowers @jthomas

(Daniel Kayiwa) #3

Is this of any help? Report from course assignment assessing security of OpenMRS

1 Like
(TJ Prescott) #4

Thanks for posting that study. I reviewed that study about a week before posting my question. Unless someone has evidence to the contrary, my conclusions from the study and from other research is as follows:

  1. OpenMRS as it was at the time of the study had several security vulnerabilities.
  2. To the best of my knowledge, these vulnerabilities have not been fixed.
  3. These vulnerabilities make OpenMRS non-HIPAA compliant for use in the U.S.
  4. From what I can tell, most use in the U.S. has been for research where HIPAA compliance is not required, rather than for clinic use.

This is a personal dissapointment as it means OpenMRS is not suitable for use in my clinic. Please post, if you think my conclusions are mistaken. Thank you.

(tendo kiiza Martyn) #5

@dkayiwa can this be chanelled to GSoC ,is it in that scope anyways ?

(Daniel Kayiwa) #6

@tendomart first part would be to clearly define what needs to be done. Then this will determine whether it is fit for GSoC. Do you have the time for this?

(tendo kiiza Martyn) #7

@dkayiwa oh Yes, i may take it up if there is a mentor.Though i know not were to start from.I think security is very crucial for OpenMRS operations. But i’ll go through the link and come up with what needs to be done then share. Would you be willing to mentor this ?

(Daniel Kayiwa) #8

@tendomart i do not mean doing the actual work. I simply mean going through the above docs and links to clearly define what needs to be done from a developer’s perspective.

(tendo kiiza Martyn) #9

I’ll do that tonight. .

(Moses Mutesasira) #10

HI @tendomart, how far with work. its seems to me that this is a very serious issue that needs attention

1 Like
(tendo kiiza Martyn) #11

The Students found out the following loop holes

  1. OpenMRS is weak at protecting confidentiality , because, once users log in, they can access any protected health information without restriction and without leaving an audit trail (am not sure wether the privileges feature does not cater for this).

  2. OpenMRS has inadequate support for accountability.

  3. The default admin password violates the principle of fail-safe defaults . Also, there is no support for separating administrative privileges to different users.

Suggested Solutions / Recommendations :

  1. Most importantly, the default admin password should be corrected by implementing a password expiration or password quality policy.

  2. OpenMRS should implement session timeouts and account locking with repeated login failures.

  3. Administrative responsibilities should be divided across multiple Administrators

  4. Implementer’s Documentation should contain security guidance.

Thoughts @dkayiwa

@mozzy you want to help out ?

(Moses Mutesasira) #12

thanks @tendomart, atleast there are some eatures that i know they already exist example

(Moses Mutesasira) #13

we can include that in the on going Documentation Forum @jwnasambu

(Moses Mutesasira) #14

we have a “require password change at next login” feature , but may be we can make it enabled by default for every admin at first login

and there are some existing settings for password quality policy. , but neeed better documentation and including in the Implementer’s Documentation cc @jwnasambu for the on going Documentation Forum

(Juliet Wamalwa) #15

Thanks for the serious observation those are the gaps we are looking at. Feel free to share more and more as we implement the changes.

(Moses Mutesasira) #16

From what i understand from that , thats more of the work of the implementors …assigning the necesarry roles and privileges to the right users :wink:

(Moses Mutesasira) #17

i think one key feature i have seen that needs implementation is making the “require password change at next login” feature enabled by default for every admin at first Login

and also some work is needed here

(Cynthia Antwi) #18

I think we should make this an agenda item on our next documentation forum call

(Cintia Del Rio) #19

I know that HIPAA compliance requires rotating passwords frequently, but that guideline has been proven damaging to the security of the system.

You can see papers and studies from very influential institutes, there’s data to back it up it’s actually harmful and bad advice.

There’s currently a request being discussed to drop that requirement from HIPAA, but don’t hold your breath.

(Cintia Del Rio) #20

My understanding about HIPAA is that it applies to running systems. I can ask my local compliance expert if you need.

It doesn’t matter if you have to run manual tasks to set it up, change default password and everything, as far as normal usage later won’t invalidate HIPAA compliance. For example, the problem is not our default password being hardcoded and weak, the problem is that users can use weak passwords and there’s nothing you can do (I’m assuming reference application here).

Same thing for brute force protection. If you put a system in front of OpenMRS to prevent it, your system is compliant. It doesn’t need to be embedded inside OpenMRS if we explain how to achieve that with other infrastructure pieces.

1 Like