Versions Compared

Old Version 2

changes.mady.by.user Grace Potma

Saved on

compared with

New Version 8

changes.mady.by.user Grace Potma

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Info

This work was contributed by IntelliSOFT Consulting Ltd. in September 2024 thanks to a generous grant from Digital Square for CyberSecurity improvement work, organized by OpenMRS Inc.

Table of Contents

Introduction 3

The Core Principles of Minimum Baseline Security Standards 3

Network Security 3

To protect workloads consider; 4

Firewall Configuration: 4

Port Management: 4

Server Security 5

Data Security 5

Authentication & Authorization 6

Application Security 6

OpenMRS Configuration 6

Module Security. 6

Input Validation 6

Incident Response and Monitoring 7

Compliance & Governance 7

Compliance: 7

Security Policies 7

Training and Awareness 7

Tomcat Security 7

NGINX Security 8

Apache MBSS 9

Conclusion 9

Table of Contents
minLevel1
maxLevel2
outlinefalse
stylenone
typelist
printabletrue

Table of Abbreviations and Acronyms

Abbreviation/Acronym

Full Form

GDPR

General Data Protection Regulation

HIPAA

Health Insurance Portability and Accountability Act

HSTS

HTTP Strict Transport Security

IDS

Intrusion Detection System

MFA

Multi-Factor Authentication

MBSS

Minimum Baseline Security Standard

OpenMRS

Open Medical Record System

SQL

Structured Query Language

SSH

Secure Shell

SSL/TLS

Secure Sockets Layer/Transport Layer Security

VLAN

Virtual Local Area Network

WAF

Web Application Firewall

XSS

Cross-Site Scripting

...

Below is a diagram illustrating Network Segmentation Segmentation:Image Removed

...

To protect workloads consider

...

:

  • Group like workloads together (such as databases) into zones.

  • Segmentation - Use tools such as firewalls to isolate some groups from others, this practice can substantially limit exposure and isolate sensitive systems and data.

  • Use Virtual Local Area Networks (VLANs) to separate different types of traffic.

...

Operating system hardening involves configuring the OS to minimize vulnerabilities.

This includes:

  • disabling unnecessary services,

  • applying security patches, and 

  • following best practices for secure configurations.

Server Patch ManagementImage Removed

...

Regularly apply security patches and updates, this . This is critical for protecting the OpenMRS server and its dependencies from known vulnerabilities. An effective patch management strategy reduces the risk of exploitation. To be effective always monitor any announcements for critical updates for OpenMRS.

Access Control

...

Access control ensures that only authorized personnel can access the server. Implementing strict access controls helps mitigate the risk of unauthorized access and potential data breaches.

...

Data Security

Data Security encompasses the measures taken to protect sensitive information from unauthorized access, corruption, or theft. For OpenMRS, safeguarding patient data is of utmost importance.

...

Authentication and authorization are critical components of security that ensure only legitimate users can access the OpenMRS system and its data. Strong mechanisms help prevent help prevent unauthorized access.

Basic principles of authentication & authorization

  • Strong Authentication

    • Implement multi-factor authentication (MFA)

...

    • for all user accounts.

    • Use strong password policies, requiring complexity

...

    • and regular changes.

  • Password Management

    • Enforce password length and complexity requirements.

    • Implement account lockout policies after a defined number of failed login attempts.

  • Role-Based Access Control

    • Define user roles and permissions based on the principle of least privilege.

    • Regularly audit user access and roles for compliance. 

...

Application security entails safeguarding the OpenMRS application from vulnerabilities and attacks throughout its life cycle. Implementing safe coding methods and performing frequent upgrades is critical for ensuring application integrity.

...

OpenMRS Configuration

To minimize risks, OpenMRS must be configured in accordance with security with security best practices. This involves turning off superfluous features and ensuring and ensuring security settings are in place.

Module Security

...

Regularly upgrading OpenMRS modules and examining them for known vulnerabilities ensures that the application is safe and resistant to exploitation. Always disable unnecessary modules and features that are not in use.

...

Input validation is an important security precaution that involves checking and cleaning user inputs to avoid common vulnerabilities like SQL injection and cross-site scripting (XSS).

Incident Response and Monitoring

Image Removed

Incident Response Plan

  • Create an incident response strategy that outlines 

    roles, responsibilities, and processes for reacting

    to security issues.

  • Run frequent drills to guarantee preparedness.

Security Monitoring

  • Use security monitoring tools to detect and alert to 

  questionable activity. Use IDS and log monitoring tools.

Log Management

  • Enable logging on all key systems and apps.

  • Review and analyze logs on a regular basis to detect security events and abnormalities.

Compliance & Governance

Compliance:

  • Ensure compliance with applicable laws and regulations, including HIPAA, GDPR, and local 

...

   healthcare legislation.

  • Conduct periodical audits to determine compliance.

Security Policies

  • Create and follow security policies, procedures, and recommendations.

  • Policies should be reviewed and updated on a regular basis to reflect technological and 

  regulatory developments.

 Training and Awareness

  • Offer continuing security training and awareness initiatives to all users, administrators, and   

   developers.

  • Encourage a culture of security throughout the organization.

Tomcat Security 

Tomcat minimum baseline security standards focus on securing the application server and its deployment applications. Key control  points include:

...

  • Enabling HTTP security headers (HSTS, X-Frame-Options, Content-Security-Policy)

NGINX Security

NGINX security focuses on securing the web server and its served content. Key control points include:

  • Configuration:

    • Disabling unnecessary modules

    • Configuring error pages to avoid revealing sensitive information

    • Limiting request headers and body sizes

    • Implementing rate limiting to prevent denial-of-service attacks

  • Access Control:

    • Using IP-based access control lists

    • Configuring strong authentication mechanisms

    • Implementing WAF (Web Application Firewall) rules

  • SSL/TLS:

    • Using strong cipher suites

    • Enabling HTTP Strict Transport Security (HSTS)

...

Apache MBSS

Apache MBSS focuses on securing the web server and its served content. Key control points include:

  • Configuration:

    • Disabling unnecessary modules

    • Configuring error pages to avoid revealing sensitive information

    • Limiting request headers and body sizes

    • Implementing rate limiting to prevent denial-of-service attacks

  • Access Control:

    • Using .htaccess files for directory-level access control

    • Configuring strong authentication mechanisms

    • Implementing WAF (Web Application Firewall) rules

  • SSL/TLS:

    • Using strong cipher suites

    • Enabling HTTP Strict Transport Security (HSTS)

...

Incident Response and Monitoring

...

Incident Response Plan

  • Create an incident response strategy that outlines roles, responsibilities, and processes for reacting to security issues. Resource: Sample Incident Response Plan

  • Run frequent drills to guarantee preparedness.

Security Monitoring

  • Use security monitoring tools to detect and alert to questionable activity. Use IDS and log monitoring tools.

Log Management

  • Enable logging on all key systems and apps.

  • Review and analyze logs on a regular basis to detect security events and abnormalities.

Compliance & Governance

Compliance:

  • Ensure compliance with applicable laws and regulations, including HIPAA, GDPR, and local healthcare legislation.

  • Conduct periodical audits to determine compliance.

Security Policies

  • Create and follow security policies, procedures, and recommendations.

  • Policies should be reviewed and updated on a regular basis to reflect technological and regulatory developments.

 Training and Awareness

  • Offer continuing security training and awareness initiatives to all users, administrators, and developers.

  • Encourage a culture of security throughout the organization.

Conclusion

Implementing this Minimum Security Baseline for OpenMRS will assist to reduce risks and safeguard sensitive health information. Regular assessments and revisions to this baseline are required to respond to emerging risks and changes in the technological ecosystem. It is a necessity in today’s threat landscape to implement these security practices.

Moreover, MBSS goes beyond protecting assets. It empowers implementers to become active participants in security. By fostering a culture of security awareness adopting best practices, and contributing to a more secure work environment.

Info

For more detailed content, see the section Sample Security Guidance & Policy Documents