...
Table of Contents
| Table of Contents | ||||||||
|---|---|---|---|---|---|---|---|---|
|
...
|
Abbreviation/Acronym | Definition |
Full Form
GDPR
General Data Protection Regulation
HIPAA
Health Insurance Portability and Accountability Act
HSTS
HTTP Strict Transport Security
IDS
Intrusion Detection System
MFA
Multi-Factor Authentication
MBSS
Minimum Baseline Security Standard
OpenMRS
Open Medical Record System
SQL
Structured Query Language
SSH
Secure Shell
SSL/TLS
Secure Sockets Layer/Transport Layer Security
VLAN
Virtual Local Area Network
WAF
Web Application Firewall
XSS
Cross-Site Scripting
Introduction
The Minimum Baseline Security Standard (MBSS) is a foundational set of rules designed to safeguard information systems. It is a framework that provides a basic level of protection against cyber threats.
This document outlines the Minimum Security Baseline for OpenMRS implementations, addressing common security considerations and best practices tailored to the needs and constraints of OpenMRS implementers. This baseline aims to enhance the security posture of OpenMRS deployments and protect sensitive health information.
The Core Principles of Minimum Baseline Security Standards
...
AAA | Authentication, Authorization, and Accounting |
API | Application Programming Interface |
DNS | Domain Name System |
HTTP | Hypertext Transfer Protocol |
HTTPS | Hypertext Transfer Protocol Secure |
NTP | Network Time Protocol |
REST | Representational State Transfer |
SOAP | Simple Object Access Protocol |
TTL | Time-to-Live |
TLS | Transport Layer Security |
JWT | JSON Web Token |
LDAP | Lightweight Directory Access Protocol |
Introduction
With the increasing number of systems, services, and integrations that organizations implementing the OpenMRS system continue to deploy within their environments, it is mandatory to define a minimum security baseline required to ensure that all services respond to a minimum level of assurance and none of which will impose a threat to the system and\network, thereby affecting the availability of the OpenMRS services. The minimum baseline standards provide a point of reference for all the stakeholders interacting with the platform allowing the system developers, administrator and integrators to incorporate security measures by design in the implementation of the OpenMRS system.
The minimum baseline standard lays the guardrails for incorporating the three fundamental principles of information security in the implementation of the OpenMRS system as defined below:
Confidentiality: Protecting sensitive information from unauthorized access, disclosure, or misuse. This ensures that only those with legitimate business needs can view or use data.
Integrity: Maintaining the accuracy and completeness of information. This prevents data from being modified, destroyed, or corrupted.
Availability: Ensuring that information and systems are accessible when needed. This prevents disruptions to business operations due to system failure or cyberattacks.
To achieve these objectives, MBSS encompasses several key areas:
Network Security
Network Security involves protecting the integrity, confidentiality, and availability of computer networks and their data. For OpenMRS implementations, securing the network environment is crucial to prevent unauthorized access and data breaches. To ensure the network is secure it is good to practice network segmentation practices in any health facility.
Below is a diagram illustrating Network Segmentation
...
To protect workloads consider;
Group like workloads together (such as databases) into zones.
Segmentation - Use tools such as firewalls to isolate some groups from others, this practice can substantially limit exposure and isolate sensitive systems and data.
Use Virtual Local Area Networks (VLANs) to separate different types of traffic.
Firewall Configuration:
Deploying a firewall is essential to restrict unauthorized access to the OpenMRS server. Properly configured firewalls help control incoming and outgoing traffic based on predetermined security rules.
Port Management:
Managing network ports is vital to minimize exposure to potential threats/attacks by limiting exposure to necessary ports i.e. ssh, and MySQL, organizations can significantly reduce their attack surface.
Server Security
Server security focuses on protecting the server infrastructure that hosts the OpenMRS application. It includes measures to harden the operating system, manage patches, and control access to the server.
...
Operating System Hardening:
Operating system hardening involves configuring the OS to minimize vulnerabilities.
This includes disabling unnecessary services, applying security patches, and
following best practices for secure configurations.
Server Patch Management
Regularly apply security patches and updates, this is critical for protecting the OpenMRS server and its dependencies from known vulnerabilities. An effective patch management strategy reduces the risk of exploitation. To be effective always monitor any announcements for critical updates for OpenMRS.
Access Control
...
Access control ensures that only authorized personnel can access the server. Implementing strict access controls helps mitigate the risk of unauthorized access and potential data breaches.
Data Security
Data Security encompasses the measures taken to protect sensitive information from unauthorized access, corruption, or theft. For OpenMRS, safeguarding patient data is of utmost importance.
...
Best Practices for protecting your data are as follows:
Data Encryption.
Data Backup and recovery measures.
Data access control.
Data Masking.
Authentication & Authorization
...
Authentication and authorization are critical components of security that ensure only legitimate users can access the OpenMRS system and its data. Strong mechanisms help
prevent unauthorized access.
Basic principles of authentication & authorization
Strong Authentication
Implement multi-factor authentication (MFA)
For all user accounts.
Use strong password policies, requiring complexity
And regular changes.
Password Management
Enforce password length and complexity requirements.
Implement account lockout policies after a defined number of failed login attempts.
Role-Based Access Control
Define user roles and permissions based on the principle of least privilege.
Regularly audit user access and roles for compliance.
Application Security
Application security entails safeguarding the OpenMRS application from vulnerabilities and attacks throughout its life cycle. Implementing safe coding methods and performing frequent upgrades is critical for ensuring application integrity.
OpenMRS Configuration
To minimize risks, OpenMRS must be configured in accordance with
security best practices. This involves turning off superfluous features and
ensuring security settings are in place.
Module Security.
Regularly upgrading OpenMRS modules and examining them for known vulnerabilities ensures that the application is safe and resistant to exploitation. Always disable unnecessary modules and features that are not in use.
Input Validation
Input validation is an important security precaution that involves checking and cleaning user inputs to avoid common vulnerabilities like SQL injection and cross-site scripting (XSS).
Incident Response and Monitoring
Incident Response Plan
Create an incident response strategy that outlines
roles, responsibilities, and processes for reacting
to security issues.
Run frequent drills to guarantee preparedness.
Security Monitoring
Use security monitoring tools to detect and alert to
questionable activity. Use IDS and log monitoring tools.
Log Management
Enable logging on all key systems and apps.
Review and analyze logs on a regular basis to detect security events and abnormalities.
Compliance & Governance
Compliance:
Ensure compliance with applicable laws and regulations, including HIPAA, GDPR, and local
healthcare legislation.
Conduct periodical audits to determine compliance.
Security Policies
Create and follow security policies, procedures, and recommendations.
Policies should be reviewed and updated on a regular basis to reflect technological and
regulatory developments.
Training and Awareness
Offer continuing security training and awareness initiatives to all users, administrators, and
developers.
Encourage a culture of security throughout the organization.
Tomcat Security
Tomcat minimum baseline security standards focus on securing the application server and its deployment applications. Key control points include:
Configuration:
Removal of unnecessary files and directories.
Disabling unused HTTP methods (Like TRACE, OPTIONS)
Configuring strict SSL/TLS settings
Limiting log file size.
Access Control:
Restricting access to Tomcat directories and configuration files.
Implementing role-based access control for applications.
Protecting web applications from common vulnerabilities (SQL injection, cross-site scripting)
Security Headers:
Enabling HTTP security headers (HSTS, X-Frame-Options, Content-Security-Policy)
NGINX Security
NGINX security focuses on securing the web server and its served content. Key control points include:
Configuration:
Disabling unnecessary modules
Configuring error pages to avoid revealing sensitive information
Limiting request headers and body sizes
Implementing rate limiting to prevent denial-of-service attacks
Access Control:
Using IP-based access control lists
Configuring strong authentication mechanisms
Implementing WAF (Web Application Firewall) rules
SSL/TLS:
Using strong cipher suites
Enabling HTTP Strict Transport Security (HSTS)
...
Apache MBSS
Apache MBSS focuses on securing the web server and its served content. Key control points include:
Configuration:
Disabling unnecessary modules
Configuring error pages to avoid revealing sensitive information
Limiting request headers and body sizes
Implementing rate limiting to prevent denial-of-service attacks
Access Control:
Using .htaccess files for directory-level access control
Configuring strong authentication mechanisms
Implementing WAF (Web Application Firewall) rules
SSL/TLS:
Using strong cipher suites
Enabling HTTP Strict Transport Security (HSTS)
Conclusion
Implementing this Minimum Security Baseline for OpenMRS will assist to reduce risks and safeguard sensitive health information. Regular assessments and revisions to this baseline are required to respond to emerging risks and changes in the technological ecosystem. It is a necessity in today’s threat landscape to implement these security practices.
Moreover, MBSS goes beyond protecting assets. It empowers implementers to become active participants in security. By fostering a culture of security awareness adopting best practices, and contributing to a more secure work environment.The document addresses different areas of interest in the implementation of the OpenMRS system including:
Operating Systems and Platform Configurations
System Security Architecture
Accountability
Access Control
Data Security and Privacy
Third-Party Security
Application and API Security
Scope Questionnaire
The scope questionnaire allows the end user of the minimum baseline standards and the policy administrators to effectively determine the boundaries of application of the standards based on the deployment environment and/or the service being integrated and/or the implementing parties
No. | Question | Answer (YES/NO) | Instructions |
1 | Does the project process, store, and/or transfer personal data, sensitive or confidential data? | Please also answer the Data Privacy and Data Protection worksheets | |
2 | Does the solution provide or access an API(s) either internally or externally using HTTP-based interfaces such as SOAP, REST, or JSON? | Please also answer the Application and API worksheet | |
3 | Is the solution partially or fully hosted in a cloud? |
| |
4 | Is any 3rd party company involved in one or more of the following activities:
|
Secure Network and Physical Environment
No. | Question | Answer (YES/NO) | Instructions |
1 | Has the hosting server(s) been secured in a locked rack or an area with restricted access? | ||
2 | Has all the non-removable media been configured with file systems with access controls enabled? | ||
3 | Has the server(s) been set up in an environment with appropriately restricted network access. ? | ||
4 | Has the server(s) been set up to display a trespassing banner at login. ? |
Patching/ Server Maintenance
System Hardening Features
System hardening is the practice of reducing a system's vulnerability by reducing its attack surface. Hardening may involve a reduction in attack vectors by culling the pathways, or vectors, attackers would use.
No. | Question | Answer (YES/NO) | Instructions |
1 | Have all system components (OS, DB, applications, network devices) been hardened according to specified guidelines as well as specifications provided by the product manufacturer? | ||
2 | Have all servers and applications been configured to disable/prevent access by trusted communities and systems (such as the use of .rhosts and .shosts for UNIX)? | ||
3 | Have all software (OS, application, DB) packages and modules not required for this system been deactivated and removed (where possible) from the system? | ||
4 | Has an account been created with adequate permissions eg. With sudo rights to facilitate continuous compliance scans on all system components even after go-live |
Patch Management and Vulnerability Reporting
The patch and vulnerability management program (PVMG) outlines the requirements for keeping the organization’s systems updated with the most current versions of their software. PVMG ensures that the organization installs remediation patches for known vulnerabilities and exposures.
No. | Question | Answer (YES/NO) | Instructions |
1 | Is the most recent version in use with the latest security patches/service packs applied across all components? | ||
2 | Have all patch and non-patch vulnerabilities been tested and remediated before the system go-live? | ||
3 | Has an exhaustive list of all the installed security patches and modifications been provided? | ||
4 | Does the supplier/vendor support the provision of Security patches for any Critical or high-risk vulnerabilities within 30 days of notification? | ||
5 | Is there a documented maintenance process to keep applications and operating systems at the latest practical patch levels? Where is it documented? ___________________________________ | ||
6 | Is there a documented maintenance process that includes a reasonable timetable for the routine application of patches and patch clusters (service packs and patch rollups)? | ||
7 | Is there a process to inventory the current level of patches specific to this server | ||
8 | Is there a process for monitoring patch installation failures |
Security Logging
Logging refers to the practice of collecting events on security-related activities, such as user authentication, access control, and intrusion detection. The logs are essential for identifying and investigating potential security breaches, which may affect the availability, integrity, and confidentiality of information systems.
No. | Question | Answer (YES/NO) | Instructions |
1 | Is the server configured with appropriate real-time OS/application logging turned on.? | ||
2 | Does the system provide the capability to automatically forward audit logs to an external SIEM solution? | ||
3 | Has the integration to the monitoring platform/SIEM been configured and working? | ||
4 | Has the logging configuration been configured to include the following:
| ||
5 | Has the right timestamp for logging been configured? | ||
6 | Have the security log files protected against manual modification even by the super user and methods applied documented? | ||
7 | Has access to audit logs been safeguarded to prevent any possible misuse or compromise? Describe how this has been achieved. |
System Integrity Controls
In order to ensure that the system functions in the way that it is designed to operate, the system security must be configured such that there is no interference with its operation configuration.
No. | Question | Answer (YES/NO) | Instructions |
1 | Have configurations to restrict changes to startup procedures been implemented? | ||
2 | Have all the unused services been disabled? | ||
3 | Has anti-virus software been installed on the hosting server | ||
4 | Has the server been configured behind the firewall/IPS? | ||
5 | Has the server been added to AAA servers? | ||
6 | If available, has the hardware-based system integrity control been enabled? | ||
7 | Has the authoritative source for NTP been configured? | ||
8 | Has the authoritative source for DNS been configured? |
Vulnerability Assessment
This is the process through which the organization assesses its information security system for security weaknesses. Vulnerability assessment allows the organization to discover and remediate the identified vulnerabilities before taking the systems, platform, or application to production.
No. | Question | Answer (YES/NO) | Instructions |
1 | Has a pre-production configuration or vulnerability assessment been performed on the server and its services? | ||
2 | Has a copy of the configuration and/or vulnerability assessment reports done at the initial server configuration been retained for possible future use by the ISO | ||
3 | Has the implementation ensured a passage for the vulnerability scanners? | ||
4 | Has the vulnerability assessment report been reviewed by the security and risk team and documented for future reference? |
Backup, Restore, and Business Continuity
Backup is the process of copying information or processing status to a redundant system, service, device, or medium that can provide the needed processing capability when needed. Backups, restoration, and business continuity ensure that the organization continues to provide services even when its primary production site is unavailable.
No. | Question | Answer (YES/NO) | Instructions |
1 | Is there a definition of the backup plan according to the following four types of data:
| ||
2 | Has the backup for the operational and mission-critical data been configured? | ||
3 | Has backup for all servers with operation critical data been documented? | ||
4 | Does the backup documentation include system and application restoration (including configurations) and data restoration procedures to support business continuity and disaster recovery planning? | ||
5 | Has there been defined a specific account for back-up and restore actions on the system, especially on database servers, with rights restricted to only the required actions (back-up and restore)? | ||
6 | Have all the backup / restore actions been restricted to a specific server with an account dedicated to this action? | ||
7 | Have passwords and login used for the backup/restore server been stored securely and encrypted while in transit? | ||
8 | Restoration backups are logically accessible | ||
9 | Measures to transmit server back-ups securely have been put into place. | ||
10 | Back-up media is compliant with the Portable Media Security Standard | ||
11 | Are the mechanisms to protect the system against attacks described including how the system restricts access during an attack or system failure? |
Data Security and Privacy
Data privacy involves ensuring the proper usage, collection, retention, deletion, and storage of data. It involves putting various administrative and logical controls to ensure that data is only accessible to the right and intended users. Data security, on the other hand, combines policies, methods, and means to secure data while at rest, being processed in transit. Data security ensures that the data remains available, consistent, complete, and valid. In order to ensure privacy and anonymity, data must be de-identified rendering it useless in the hands of the unintended users and platforms. As illustrated in the figure below, this can be achieved through pseudonymization and anonymization. The checklist provided below evaluates the provision for all the security controls on the data while at rest, in transit, or in processing.
...
No. | Question | Answer (YES/NO) | Instructions |
Data Security | |||
1 | Have technical measures been put in place to safeguard data security by validating input from users or other systems/applications via all interfaces? Describe | ||
2 | Is Critical / Confidential data secured while in storage or transmission by 256-bit or higher level of encryption? | ||
3 | Has the data/document been classified according to the data classification guideline/standard and marked with the right classification label? | ||
4 | Is the change of the classification labels restricted only to the security administrator? | ||
5 | Have passwords been securely stored via a strong one-way hash function of at least 256-bit? | ||
6 | Are there adequate controls to ensure customer data confidentiality and suppliers' liability is covered in case of breach of security and leakage of confidential customer-related information? | ||
7 | Has all third-party access been configured to use strong authentication? | ||
8 | Does the system provide an access control mechanism to be able to show which data entities/transactions any particular individual may read, modify, or execute (given a user ID) and conversely, which individuals may read, modify, or execute any given data entity/transaction? | ||
9 | Does the system provide the capability to create or modify different access control levels \ roles (i.e. admin, developer, end-user) according to ‘user privileges’ and user roles/job descriptions? | ||
Data Privacy | |||
1 | What data is being collected, processed, stored, transferred(give examples) | ||
2 | Is there a mechanism for collecting and storing consent to process the data | ||
3 | Do you intend to process information regarding health status, ethnic, race, biometrics, sexual orientation, genetic data | ||
4 | How long do you intend to store the data? Please share a data retention timeline. | ||
5 | How will you purge the data after the retention timeline has expired? Please share purging guidelines. | ||
6 | Are there any third parties involved in the process? | ||
Is there any existing agreement with the third party? | |||
7 | Is there justification for all sets of data being collected/processed? | ||
8 | Is the system configured to enforce the use of encrypted connections (e.g. TLS v1.3) by customers for services that transfer sensitive data? | ||
9 | Do all interfaces/Protocols that are exposed outside the security domain provide for encryption and authentication to guidelines and commercial best-practice standards? | ||
10 | Do encryption methods and algorithms conform to standards and use the latest versions of cryptographic libraries? | ||
11 | Is the system configured to store all security-sensitive information and personal data in an encrypted format or with the appropriate protection mechanisms? Describe | ||
12 | Is data used for system development and/or testing purposes depersonalized to differentiate from data located on the production system? | ||
13 | When media used by the system is to be disposed of or reused, are necessary measures taken to prevent any subsequent retrieval of personal data and other information stored? |
Application and Application programming interface (API) Security
Application security refers to the iterative process of developing, adding, and testing security features within applications to prevent security vulnerabilities against threats such as unauthorized access and modification. Application security extends to API security, which considers the embedment of security in the development and operation of APIs.
No. | Question | Answer (YES/NO) | Instructions |
1 | Has versioning been implemented for the API and the application? | ||
2 | Does the API and the application conform to the organization's set style and design guidelines such as formatting of headers for consistency? | ||
3 | Is every request to the API or web service authenticated? | ||
4 | Has MFA been implemented for externally facing APIs; e.g. use of a certificate as a second factor of authentication? | ||
5 | Is there an implementation for anti-brute force mechanisms on authentication endpoints such as account lock-outs, use of Max Retry, and jail features in Login? | ||
6 | Does the system implement JSON Web Token (JWT)? Has the below been checked?
| ||
7 | Does the system implement OAuth 2.0? Ensure:
| ||
8 | Does the deployment implement authorization mechanisms? | ||
9 | Do the issued authentication and authorization tokens have a set expiry time? | ||
10 | Does the response from the API call return only legitimate data and does not return excessive or sensitive data? | ||
11 | Have the verbose error messages been customized so as not to reveal too much information? | ||
12 | Is HTTPs implemented for the API and the applications? | ||
13 | Has a limit on how often a client can call the API within a defined timeframe been implemented? | ||
14 | Has a limit for the maximum size of data on all incoming parameters and payloads such as maximum length for strings and maximum number of elements in arrays been implemented? | ||
15 | Has content-type for your response been enforced i.e. If you return application/json, then your content-type response is application/json. | ||
16 | Has the limit for the number of returned records to prevent mass disclosure in case of injection been implemented? | ||
17 | Is there a validation, filtering, and sanitizing mechanism for all client-provided data, or other data coming from integrated systems? | ||
18 | Does the API or application log all failed authentication attempts, denied access, input validation errors, and rate limit errors? |
Access Control
Access control is a data security control process that enables organizations to manage who is authorized to access corporate data and resources. Secure access control uses policies that verify users are who they claim to be and ensure appropriate levels of access are granted to users. The checklist below provides guidance for minimum baseline standards for controlling secure access to the platform.
No. | Question | Answer (YES/NO) | Instructions |
Password Policy | |||
1 | Are passwords stored hashed or in a one-way encrypted form that is inaccessible by all users? Only algorithms specifically designed for password storage shall be used. | ||
2 | Is the strength of passwords used with the operation and maintenance accounts system enforced? | ||
3 | Does the system allow for Secure Lightweight Directory Access Protocol (LDAP) authentication using either Microsoft Windows Active Directory or Oracle Identity Manager (IDM) | ||
4 | Does the system provide a configurable mechanism as provided in the password standard( embedded below ):
| ||
5 | Is the password checking mechanism case sensitive? | ||
6 | Does the system force the user to enter their current password as well as their new password when carrying out a password change? | ||
7 | Does the system provide a password change confirmation procedure? | ||
8 | Are end users able to directly change their user passwords? | ||
Account Management | |||
1 | Are passwords changeable by the end user only after providing the current password, and by the system administrator (from the administration panel) without restriction? | ||
2 | Does the system provide the capability to lock/deactivate/suspend or delete certain accounts/userIDs either manually or automatically? | ||
3 | Does the system force users to reset initial passwords on the first login? i.e. system should then force the initial password to be changed | ||
4 | Is there a use case for a shared account? Has the below mechanisms and processes been put in place: a) restrict the ability to use a shared account to only those users who need it to perform their role. b) remove the ability to use a shared account in a timely manner when users who have been authorized to use it change their role or leave the organization. c) The use of shared accounts must be linked to the user’s identity at all times, with logging enabled to identify misuse. d) Passwords must be a minimum of 14 characters long | ||
5 | Does the system provide the capability to print a list of all possible access privileges, a specific user's access privileges and comparison tables between different userIDs? | ||
User Identification and Authentication | |||
1 | Does the system support Multi-factor authentication (such as two-factor authentication) in use for access to the system or classified sensitive data? | ||
2 | Are all users allocated a unique user ID for the sole use of the individual? | ||
3 | Is access to the logging system and data restricted to privileged accounts and user profiles (e.g. root, system administrator)? | ||
4 | Are all accounts/access profiles protected with a password? | ||
5 | All default accounts and credentials must be changed or removed/disabled | ||
6 | Is there a use case for functional accounts? Is there a documented and approved list of all human users accountable and responsible for the generic and functional accounts across the OS, DB, and application | ||
System Log and Access Control | |||
1 | Does the system provide the capability to detect multiple logons from the same user ID and restrict users to one session at a time? | ||
2 | Is the number of unsuccessful log-on attempts limited to, at most, three attempts per session; afterwards the session will be terminated? | ||
3 | Does the system support automatic user locking after: i. A configurable period (for example 90 days) with no successful logins by a user and the user account is dormant ii. A configurable number of continuous unsuccessful log-on attempts targeting the same user account or originating from the same source IP address? | ||
4 | Is there a notice displayed indicating that only authorized users are allowed access to the system in accordance with any legal/corporate obligations? | ||
5 | Does the system require users to enter their passwords (after a certain period of inactivity/time-out to be defined and configured centrally) before the session can be restarted? |
| Info |
|---|
For more detailed content, see the section Sample Security Guidance & Policy Documents |