I am a doctor of chiropractic and I am looking for a flexible EHR for use in my Colorado, U.S.A. clinic. I am considering OpenEMR and OpenMRS. I prefer OpenMRS based on database and customization flexibility.
Can OpenMRS be used in a U.S.A clinic and can HIPAA complance be provided?
Per Wikipedia, OpenMRS: “There are five known OpenMRS deployments supporting clinical care in the US - three in Indianapolis, one in Los Angeles, and one in Maryland.” The names of the clinics are not provided. Can anyone provide me with the names of these U.S. clinics that are using OpenMRS? I would like to find out how they are meeting HIPAA security requirements. Thank you in advance for any replies.
Thanks for posting that study. I reviewed that study about a week before posting my question. Unless someone has evidence to the contrary, my conclusions from the study and from other research is as follows:
OpenMRS as it was at the time of the study had several security vulnerabilities.
To the best of my knowledge, these vulnerabilities have not been fixed.
These vulnerabilities make OpenMRS non-HIPAA compliant for use in the U.S.
From what I can tell, most use in the U.S. has been for research where HIPAA compliance is not required, rather than for clinic use.
This is a personal dissapointment as it means OpenMRS is not suitable for use in my clinic. Please post, if you think my conclusions are mistaken. Thank you.
@dkayiwa oh Yes, i may take it up if there is a mentor.Though i know not were to start from.I think security is very crucial for OpenMRS operations.
But i’ll go through the link and come up with what needs to be done then share.
Would you be willing to mentor this ?
OpenMRS is weak at protecting confidentiality , because, once users log in, they can access any protected health information without restriction and without leaving an audit trail (am not sure wether the privileges feature does not cater for this).
OpenMRS has inadequate support for accountability.
The default admin password violates the principle of fail-safe defaults . Also, there is no support for separating administrative privileges to different users.
Suggested Solutions / Recommendations :
Most importantly, the default admin password should be corrected by implementing a password expiration or password quality policy.
OpenMRS should implement session timeouts and account locking with repeated login failures.
Administrative responsibilities should be divided across multiple Administrators
Implementer’s Documentation should contain security guidance.
My understanding about HIPAA is that it applies to running systems. I can ask my local compliance expert if you need.
It doesn’t matter if you have to run manual tasks to set it up, change default password and everything, as far as normal usage later won’t invalidate HIPAA compliance. For example, the problem is not our default password being hardcoded and weak, the problem is that users can use weak passwords and there’s nothing you can do (I’m assuming reference application here).
Same thing for brute force protection. If you put a system in front of OpenMRS to prevent it, your system is compliant. It doesn’t need to be embedded inside OpenMRS if we explain how to achieve that with other infrastructure pieces.