U.S.A. clinic use and HIPAA compliance?

I am a doctor of chiropractic and I am looking for a flexible EHR for use in my Colorado, U.S.A. clinic. I am considering OpenEMR and OpenMRS. I prefer OpenMRS based on database and customization flexibility.

Can OpenMRS be used in a U.S.A clinic and can HIPAA complance be provided?

Per Wikipedia, OpenMRS: “There are five known OpenMRS deployments supporting clinical care in the US - three in Indianapolis, one in Los Angeles, and one in Maryland.” The names of the clinics are not provided. Can anyone provide me with the names of these U.S. clinics that are using OpenMRS? I would like to find out how they are meeting HIPAA security requirements. Thank you in advance for any replies.

TJ Prescott, DC PE

Thoughts cc @burke @janflowers @jthomas

Is this of any help? Report from course assignment assessing security of OpenMRS

1 Like

Thanks for posting that study. I reviewed that study about a week before posting my question. Unless someone has evidence to the contrary, my conclusions from the study and from other research is as follows:

  1. OpenMRS as it was at the time of the study had several security vulnerabilities.
  2. To the best of my knowledge, these vulnerabilities have not been fixed.
  3. These vulnerabilities make OpenMRS non-HIPAA compliant for use in the U.S.
  4. From what I can tell, most use in the U.S. has been for research where HIPAA compliance is not required, rather than for clinic use.

This is a personal dissapointment as it means OpenMRS is not suitable for use in my clinic. Please post, if you think my conclusions are mistaken. Thank you.

@dkayiwa can this be chanelled to GSoC ,is it in that scope anyways ?

@tendomart first part would be to clearly define what needs to be done. Then this will determine whether it is fit for GSoC. Do you have the time for this?

@dkayiwa oh Yes, i may take it up if there is a mentor.Though i know not were to start from.I think security is very crucial for OpenMRS operations. But i’ll go through the link and come up with what needs to be done then share. Would you be willing to mentor this ?

@tendomart i do not mean doing the actual work. I simply mean going through the above docs and links to clearly define what needs to be done from a developer’s perspective.

I’ll do that tonight. .

HI @tendomart, how far with work. its seems to me that this is a very serious issue that needs attention

1 Like

The Students found out the following loop holes

  1. OpenMRS is weak at protecting confidentiality , because, once users log in, they can access any protected health information without restriction and without leaving an audit trail (am not sure wether the privileges feature does not cater for this).

  2. OpenMRS has inadequate support for accountability.

  3. The default admin password violates the principle of fail-safe defaults . Also, there is no support for separating administrative privileges to different users.

Suggested Solutions / Recommendations :

  1. Most importantly, the default admin password should be corrected by implementing a password expiration or password quality policy.

  2. OpenMRS should implement session timeouts and account locking with repeated login failures.

  3. Administrative responsibilities should be divided across multiple Administrators

  4. Implementer’s Documentation should contain security guidance.

Thoughts @dkayiwa

@mozzy you want to help out ?

thanks @tendomart, atleast there are some eatures that i know they already exist example

we can include that in the on going Documentation Forum @jwnasambu

we have a “require password change at next login” feature , but may be we can make it enabled by default for every admin at first login

and there are some existing settings for password quality policy. , but neeed better documentation and including in the Implementer’s Documentation cc @jwnasambu for the on going Documentation Forum

Thanks for the serious observation those are the gaps we are looking at. Feel free to share more and more as we implement the changes.

From what i understand from that , thats more of the work of the implementors …assigning the necesarry roles and privileges to the right users :wink:

i think one key feature i have seen that needs implementation is making the “require password change at next login” feature enabled by default for every admin at first Login

and also some work is needed here

I think we should make this an agenda item on our next documentation forum call

2 Likes

I know that HIPAA compliance requires rotating passwords frequently, but that guideline has been proven damaging to the security of the system.

You can see papers and studies from very influential institutes, there’s data to back it up it’s actually harmful and bad advice.

There’s currently a request being discussed to drop that requirement from HIPAA, but don’t hold your breath.

My understanding about HIPAA is that it applies to running systems. I can ask my local compliance expert if you need.

It doesn’t matter if you have to run manual tasks to set it up, change default password and everything, as far as normal usage later won’t invalidate HIPAA compliance. For example, the problem is not our default password being hardcoded and weak, the problem is that users can use weak passwords and there’s nothing you can do (I’m assuming reference application here).

Same thing for brute force protection. If you put a system in front of OpenMRS to prevent it, your system is compliant. It doesn’t need to be embedded inside OpenMRS if we explain how to achieve that with other infrastructure pieces.

1 Like