...
| Info |
|---|
This work was contributed by IntelliSOFT Consulting Ltd. in September 2024 thanks to a generous grant from Digital Square for CyberSecurity improvement work, organized by OpenMRS Inc. |
Table of Contents
The Core Principles of Minimum Baseline Security Standards 3
To protect workloads consider; 4
Authentication & Authorization 6
Incident Response and Monitoring 7
...
| Table of Contents | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Table of Abbreviations and Acronyms
Abbreviation/Acronym | Full Form |
GDPR | General Data Protection Regulation |
HIPAA | Health Insurance Portability and Accountability Act |
HSTS | HTTP Strict Transport Security |
IDS | Intrusion Detection System |
MFA | Multi-Factor Authentication |
MBSS | Minimum Baseline Security Standard |
OpenMRS | Open Medical Record System |
SQL | Structured Query Language |
SSH | Secure Shell |
SSL/TLS | Secure Sockets Layer/Transport Layer Security |
VLAN | Virtual Local Area Network |
WAF | Web Application Firewall |
XSS | Cross-Site Scripting |
...
Below is a diagram illustrating Network Segmentation Segmentation:
...
To protect workloads consider
...
:
Group like workloads together (such as databases) into zones.
Segmentation - Use tools such as firewalls to isolate some groups from others, this practice can substantially limit exposure and isolate sensitive systems and data.
Use Virtual Local Area Networks (VLANs) to separate different types of traffic.
...
Operating system hardening involves configuring the OS to minimize vulnerabilities.
This includes:
disabling unnecessary services,
applying security patches, and
following best practices for secure configurations.
Server Patch Management
...
Regularly apply security patches and updates, this . This is critical for protecting the OpenMRS server and its dependencies from known vulnerabilities. An effective patch management strategy reduces the risk of exploitation. To be effective always monitor any announcements for critical updates for OpenMRS.
...
Authentication and authorization are critical components of security that ensure only legitimate users can access the OpenMRS system and its data. Strong mechanisms help prevent help prevent unauthorized access.
Basic principles of authentication & authorization
Strong Authentication
Implement multi-factor authentication (MFA)
...
for all user accounts.
Use strong password policies, requiring complexity
...
and regular changes.
Password Management
Enforce password length and complexity requirements.
Implement account lockout policies after a defined number of failed login attempts.
Role-Based Access Control
Define user roles and permissions based on the principle of least privilege.
Regularly audit user access and roles for compliance.
...
To minimize risks, OpenMRS must be configured in accordance with security with security best practices. This involves turning off superfluous features and ensuring and ensuring security settings are in place.
Module Security
...
Regularly upgrading OpenMRS modules and examining them for known vulnerabilities ensures that the application is safe and resistant to exploitation. Always disable unnecessary modules and features that are not in use.
...
Input validation is an important security precaution that involves checking and cleaning user inputs to avoid common vulnerabilities like SQL injection and cross-site scripting (XSS).
Incident Response and Monitoring
Incident Response Plan
Create an incident response strategy that outlines
roles, responsibilities, and processes for reacting
to security issues.
Run frequent drills to guarantee preparedness.
Security Monitoring
Use security monitoring tools to detect and alert to
questionable activity. Use IDS and log monitoring tools.
Log Management
Enable logging on all key systems and apps.
Review and analyze logs on a regular basis to detect security events and abnormalities.
Compliance & Governance
Compliance:
Ensure compliance with applicable laws and regulations, including HIPAA, GDPR, and local
healthcare legislation.
Conduct periodical audits to determine compliance.
Security Policies
Create and follow security policies, procedures, and recommendations.
Policies should be reviewed and updated on a regular basis to reflect technological and
regulatory developments.
Training and Awareness
Offer continuing security training and awareness initiatives to all users, administrators, and
developers.
Encourage a culture of security throughout the organization.
Tomcat Security
Tomcat minimum baseline security standards focus on securing the application server and its deployment applications. Key control points include:
...
Enabling HTTP security headers (HSTS, X-Frame-Options, Content-Security-Policy)
NGINX Security
NGINX security focuses on securing the web server and its served content. Key control points include:
Configuration:
Disabling unnecessary modules
Configuring error pages to avoid revealing sensitive information
Limiting request headers and body sizes
Implementing rate limiting to prevent denial-of-service attacks
Access Control:
Using IP-based access control lists
Configuring strong authentication mechanisms
Implementing WAF (Web Application Firewall) rules
SSL/TLS:
Using strong cipher suites
Enabling HTTP Strict Transport Security (HSTS)
...
Apache MBSS
Apache MBSS focuses on securing the web server and its served content. Key control points include:
Configuration:
Disabling unnecessary modules
Configuring error pages to avoid revealing sensitive information
Limiting request headers and body sizes
Implementing rate limiting to prevent denial-of-service attacks
Access Control:
Using .htaccess files for directory-level access control
Configuring strong authentication mechanisms
Implementing WAF (Web Application Firewall) rules
SSL/TLS:
Using strong cipher suites
Enabling HTTP Strict Transport Security (HSTS)
...
Incident Response and Monitoring
...
Incident Response Plan
Create an incident response strategy that outlines roles, responsibilities, and processes for reacting to security issues. Resource: Sample Incident Response Plan
Run frequent drills to guarantee preparedness.
Security Monitoring
Use security monitoring tools to detect and alert to questionable activity. Use IDS and log monitoring tools.
Log Management
Enable logging on all key systems and apps.
Review and analyze logs on a regular basis to detect security events and abnormalities.
Compliance & Governance
Compliance:
Ensure compliance with applicable laws and regulations, including HIPAA, GDPR, and local healthcare legislation.
Conduct periodical audits to determine compliance.
Security Policies
Create and follow security policies, procedures, and recommendations.
Policies should be reviewed and updated on a regular basis to reflect technological and regulatory developments.
Training and Awareness
Offer continuing security training and awareness initiatives to all users, administrators, and developers.
Encourage a culture of security throughout the organization.
Conclusion
Implementing this Minimum Security Baseline for OpenMRS will assist to reduce risks and safeguard sensitive health information. Regular assessments and revisions to this baseline are required to respond to emerging risks and changes in the technological ecosystem. It is a necessity in today’s threat landscape to implement these security practices.
Moreover, MBSS goes beyond protecting assets. It empowers implementers to become active participants in security. By fostering a culture of security awareness adopting best practices, and contributing to a more secure work environment.
| Info |
|---|
For more detailed content, see the section Sample Security Guidance & Policy Documents |