Best Practices and Security Considerations Document
This document outlines the Minimum Baseline Security Standard (MBSS) where the core security principles and best practices tailored specifically for OpenMRS implementations are defined. It covers essential areas including network security, server hardening, data protection, authentication and authorization.
This work was contributed by IntelliSOFT Consulting Ltd. in September 2024 thanks to a generous grant from Digital Square for CyberSecurity improvement work, organized by OpenMRS Inc.
Table of Contents
Abbreviation/Acronym | Definition |
AAA | Authentication, Authorization, and Accounting |
API | Application Programming Interface |
DNS | Domain Name System |
HTTP | Hypertext Transfer Protocol |
HTTPS | Hypertext Transfer Protocol Secure |
NTP | Network Time Protocol |
REST | Representational State Transfer |
SOAP | Simple Object Access Protocol |
TTL | Time-to-Live |
TLS | Transport Layer Security |
JWT | JSON Web Token |
LDAP | Lightweight Directory Access Protocol |
Introduction
With the increasing number of systems, services, and integrations that organizations implementing the OpenMRS system continue to deploy within their environments, it is mandatory to define a minimum security baseline required to ensure that all services respond to a minimum level of assurance and none of which will impose a threat to the system and\network, thereby affecting the availability of the OpenMRS services. The minimum baseline standards provide a point of reference for all the stakeholders interacting with the platform allowing the system developers, administrator and integrators to incorporate security measures by design in the implementation of the OpenMRS system.
The minimum baseline standard lays the guardrails for incorporating the three fundamental principles of information security in the implementation of the OpenMRS system as defined below:
Confidentiality: Protecting sensitive information from unauthorized access, disclosure, or misuse. This ensures that only those with legitimate business needs can view or use data.
Integrity: Maintaining the accuracy and completeness of information. This prevents data from being modified, destroyed, or corrupted.
Availability: Ensuring that information and systems are accessible when needed. This prevents disruptions to business operations due to system failure or cyberattacks.
The document addresses different areas of interest in the implementation of the OpenMRS system including:
Operating Systems and Platform Configurations
System Security Architecture
Accountability
Access Control
Data Security and Privacy
Third-Party Security
Application and API Security
Scope Questionnaire
The scope questionnaire allows the end user of the minimum baseline standards and the policy administrators to effectively determine the boundaries of application of the standards based on the deployment environment and/or the service being integrated and/or the implementing parties
No. | Question | Answer (YES/NO) | Instructions |
1 | Does the project process, store, and/or transfer personal data, sensitive or confidential data? | Please also answer the Data Privacy and Data Protection worksheets | |
2 | Does the solution provide or access an API(s) either internally or externally using HTTP-based interfaces such as SOAP, REST, or JSON? | Please also answer the Application and API worksheet | |
3 | Is the solution partially or fully hosted in a cloud? |
| |
4 | Is any 3rd party company involved in one or more of the following activities:
|
Secure Network and Physical Environment
No. | Question | Answer (YES/NO) | Instructions |
1 | Has the hosting server(s) been secured in a locked rack or an area with restricted access? | ||
2 | Has all the non-removable media been configured with file systems with access controls enabled? | ||
3 | Has the server(s) been set up in an environment with appropriately restricted network access. ? | ||
4 | Has the server(s) been set up to display a trespassing banner at login. ? |
Patching/ Server Maintenance
System Hardening Features
System hardening is the practice of reducing a system's vulnerability by reducing its attack surface. Hardening may involve a reduction in attack vectors by culling the pathways, or vectors, attackers would use.
No. | Question | Answer (YES/NO) | Instructions |
1 | Have all system components (OS, DB, applications, network devices) been hardened according to specified guidelines as well as specifications provided by the product manufacturer? | ||
2 | Have all servers and applications been configured to disable/prevent access by trusted communities and systems (such as the use of .rhosts and .shosts for UNIX)? | ||
3 | Have all software (OS, application, DB) packages and modules not required for this system been deactivated and removed (where possible) from the system? | ||
4 | Has an account been created with adequate permissions eg. With sudo rights to facilitate continuous compliance scans on all system components even after go-live |
Patch Management and Vulnerability Reporting
The patch and vulnerability management program (PVMG) outlines the requirements for keeping the organization’s systems updated with the most current versions of their software. PVMG ensures that the organization installs remediation patches for known vulnerabilities and exposures.
No. | Question | Answer (YES/NO) | Instructions |
1 | Is the most recent version in use with the latest security patches/service packs applied across all components? | ||
2 | Have all patch and non-patch vulnerabilities been tested and remediated before the system go-live? | ||
3 | Has an exhaustive list of all the installed security patches and modifications been provided? | ||
4 | Does the supplier/vendor support the provision of Security patches for any Critical or high-risk vulnerabilities within 30 days of notification? | ||
5 | Is there a documented maintenance process to keep applications and operating systems at the latest practical patch levels? Where is it documented? ___________________________________ | ||
6 | Is there a documented maintenance process that includes a reasonable timetable for the routine application of patches and patch clusters (service packs and patch rollups)? | ||
7 | Is there a process to inventory the current level of patches specific to this server | ||
8 | Is there a process for monitoring patch installation failures |
Security Logging
Logging refers to the practice of collecting events on security-related activities, such as user authentication, access control, and intrusion detection. The logs are essential for identifying and investigating potential security breaches, which may affect the availability, integrity, and confidentiality of information systems.
No. | Question | Answer (YES/NO) | Instructions |
1 | Is the server configured with appropriate real-time OS/application logging turned on.? | ||
2 | Does the system provide the capability to automatically forward audit logs to an external SIEM solution? | ||
3 | Has the integration to the monitoring platform/SIEM been configured and working? | ||
4 | Has the logging configuration been configured to include the following:
| ||
5 | Has the right timestamp for logging been configured? | ||
6 | Have the security log files protected against manual modification even by the super user and methods applied documented? | ||
7 | Has access to audit logs been safeguarded to prevent any possible misuse or compromise? Describe how this has been achieved. |
System Integrity Controls
In order to ensure that the system functions in the way that it is designed to operate, the system security must be configured such that there is no interference with its operation configuration.
No. | Question | Answer (YES/NO) | Instructions |
1 | Have configurations to restrict changes to startup procedures been implemented? | ||
2 | Have all the unused services been disabled? | ||
3 | Has anti-virus software been installed on the hosting server | ||
4 | Has the server been configured behind the firewall/IPS? | ||
5 | Has the server been added to AAA servers? | ||
6 | If available, has the hardware-based system integrity control been enabled? | ||
7 | Has the authoritative source for NTP been configured? | ||
8 | Has the authoritative source for DNS been configured? |
Vulnerability Assessment
This is the process through which the organization assesses its information security system for security weaknesses. Vulnerability assessment allows the organization to discover and remediate the identified vulnerabilities before taking the systems, platform, or application to production.
No. | Question | Answer (YES/NO) | Instructions |
1 | Has a pre-production configuration or vulnerability assessment been performed on the server and its services? | ||
2 | Has a copy of the configuration and/or vulnerability assessment reports done at the initial server configuration been retained for possible future use by the ISO | ||
3 | Has the implementation ensured a passage for the vulnerability scanners? | ||
4 | Has the vulnerability assessment report been reviewed by the security and risk team and documented for future reference? |
Backup, Restore, and Business Continuity
Backup is the process of copying information or processing status to a redundant system, service, device, or medium that can provide the needed processing capability when needed. Backups, restoration, and business continuity ensure that the organization continues to provide services even when its primary production site is unavailable.
No. | Question | Answer (YES/NO) | Instructions |
1 | Is there a definition of the backup plan according to the following four types of data:
| ||
2 | Has the backup for the operational and mission-critical data been configured? | ||
3 | Has backup for all servers with operation critical data been documented? | ||
4 | Does the backup documentation include system and application restoration (including configurations) and data restoration procedures to support business continuity and disaster recovery planning? | ||
5 | Has there been defined a specific account for back-up and restore actions on the system, especially on database servers, with rights restricted to only the required actions (back-up and restore)? | ||
6 | Have all the backup / restore actions been restricted to a specific server with an account dedicated to this action? | ||
7 | Have passwords and login used for the backup/restore server been stored securely and encrypted while in transit? | ||
8 | Restoration backups are logically accessible | ||
9 | Measures to transmit server back-ups securely have been put into place. | ||
10 | Back-up media is compliant with the Portable Media Security Standard | ||
11 | Are the mechanisms to protect the system against attacks described including how the system restricts access during an attack or system failure? |
Data Security and Privacy
Data privacy involves ensuring the proper usage, collection, retention, deletion, and storage of data. It involves putting various administrative and logical controls to ensure that data is only accessible to the right and intended users. Data security, on the other hand, combines policies, methods, and means to secure data while at rest, being processed in transit. Data security ensures that the data remains available, consistent, complete, and valid. In order to ensure privacy and anonymity, data must be de-identified rendering it useless in the hands of the unintended users and platforms. As illustrated in the figure below, this can be achieved through pseudonymization and anonymization. The checklist provided below evaluates the provision for all the security controls on the data while at rest, in transit, or in processing.
No. | Question | Answer (YES/NO) | Instructions |
Data Security | |||
1 | Have technical measures been put in place to safeguard data security by validating input from users or other systems/applications via all interfaces? Describe | ||
2 | Is Critical / Confidential data secured while in storage or transmission by 256-bit or higher level of encryption? | ||
3 | Has the data/document been classified according to the data classification guideline/standard and marked with the right classification label? | ||
4 | Is the change of the classification labels restricted only to the security administrator? | ||
5 | Have passwords been securely stored via a strong one-way hash function of at least 256-bit? | ||
6 | Are there adequate controls to ensure customer data confidentiality and suppliers' liability is covered in case of breach of security and leakage of confidential customer-related information? | ||
7 | Has all third-party access been configured to use strong authentication? | ||
8 | Does the system provide an access control mechanism to be able to show which data entities/transactions any particular individual may read, modify, or execute (given a user ID) and conversely, which individuals may read, modify, or execute any given data entity/transaction? | ||
9 | Does the system provide the capability to create or modify different access control levels \ roles (i.e. admin, developer, end-user) according to ‘user privileges’ and user roles/job descriptions? | ||
Data Privacy | |||
1 | What data is being collected, processed, stored, transferred(give examples) | ||
2 | Is there a mechanism for collecting and storing consent to process the data | ||
3 | Do you intend to process information regarding health status, ethnic, race, biometrics, sexual orientation, genetic data | ||
4 | How long do you intend to store the data? Please share a data retention timeline. | ||
5 | How will you purge the data after the retention timeline has expired? Please share purging guidelines. | ||
6 | Are there any third parties involved in the process? | ||
Is there any existing agreement with the third party? | |||
7 | Is there justification for all sets of data being collected/processed? | ||
8 | Is the system configured to enforce the use of encrypted connections (e.g. TLS v1.3) by customers for services that transfer sensitive data? | ||
9 | Do all interfaces/Protocols that are exposed outside the security domain provide for encryption and authentication to guidelines and commercial best-practice standards? | ||
10 | Do encryption methods and algorithms conform to standards and use the latest versions of cryptographic libraries? | ||
11 | Is the system configured to store all security-sensitive information and personal data in an encrypted format or with the appropriate protection mechanisms? Describe | ||
12 | Is data used for system development and/or testing purposes depersonalized to differentiate from data located on the production system? | ||
13 | When media used by the system is to be disposed of or reused, are necessary measures taken to prevent any subsequent retrieval of personal data and other information stored? |
Application and Application programming interface (API) Security
Application security refers to the iterative process of developing, adding, and testing security features within applications to prevent security vulnerabilities against threats such as unauthorized access and modification. Application security extends to API security, which considers the embedment of security in the development and operation of APIs.
No. | Question | Answer (YES/NO) | Instructions |
1 | Has versioning been implemented for the API and the application? | ||
2 | Does the API and the application conform to the organization's set style and design guidelines such as formatting of headers for consistency? | ||
3 | Is every request to the API or web service authenticated? | ||
4 | Has MFA been implemented for externally facing APIs; e.g. use of a certificate as a second factor of authentication? | ||
5 | Is there an implementation for anti-brute force mechanisms on authentication endpoints such as account lock-outs, use of Max Retry, and jail features in Login? | ||
6 | Does the system implement JSON Web Token (JWT)? Has the below been checked?
| ||
7 | Does the system implement OAuth 2.0? Ensure:
| ||
8 | Does the deployment implement authorization mechanisms? | ||
9 | Do the issued authentication and authorization tokens have a set expiry time? | ||
10 | Does the response from the API call return only legitimate data and does not return excessive or sensitive data? | ||
11 | Have the verbose error messages been customized so as not to reveal too much information? | ||
12 | Is HTTPs implemented for the API and the applications? | ||
13 | Has a limit on how often a client can call the API within a defined timeframe been implemented? | ||
14 | Has a limit for the maximum size of data on all incoming parameters and payloads such as maximum length for strings and maximum number of elements in arrays been implemented? | ||
15 | Has content-type for your response been enforced i.e. If you return application/json, then your content-type response is application/json. | ||
16 | Has the limit for the number of returned records to prevent mass disclosure in case of injection been implemented? | ||
17 | Is there a validation, filtering, and sanitizing mechanism for all client-provided data, or other data coming from integrated systems? | ||
18 | Does the API or application log all failed authentication attempts, denied access, input validation errors, and rate limit errors? |
Access Control
Access control is a data security control process that enables organizations to manage who is authorized to access corporate data and resources. Secure access control uses policies that verify users are who they claim to be and ensure appropriate levels of access are granted to users. The checklist below provides guidance for minimum baseline standards for controlling secure access to the platform.
No. | Question | Answer (YES/NO) | Instructions |
Password Policy | |||
1 | Are passwords stored hashed or in a one-way encrypted form that is inaccessible by all users? Only algorithms specifically designed for password storage shall be used. | ||
2 | Is the strength of passwords used with the operation and maintenance accounts system enforced? | ||
3 | Does the system allow for Secure Lightweight Directory Access Protocol (LDAP) authentication using either Microsoft Windows Active Directory or Oracle Identity Manager (IDM) | ||
4 | Does the system provide a configurable mechanism as provided in the password standard( embedded below ):
| ||
5 | Is the password checking mechanism case sensitive? | ||
6 | Does the system force the user to enter their current password as well as their new password when carrying out a password change? | ||
7 | Does the system provide a password change confirmation procedure? | ||
8 | Are end users able to directly change their user passwords? | ||
Account Management | |||
1 | Are passwords changeable by the end user only after providing the current password, and by the system administrator (from the administration panel) without restriction? | ||
2 | Does the system provide the capability to lock/deactivate/suspend or delete certain accounts/userIDs either manually or automatically? | ||
3 | Does the system force users to reset initial passwords on the first login? i.e. system should then force the initial password to be changed | ||
4 | Is there a use case for a shared account? Has the below mechanisms and processes been put in place: a) restrict the ability to use a shared account to only those users who need it to perform their role. b) remove the ability to use a shared account in a timely manner when users who have been authorized to use it change their role or leave the organization. c) The use of shared accounts must be linked to the user’s identity at all times, with logging enabled to identify misuse. d) Passwords must be a minimum of 14 characters long | ||
5 | Does the system provide the capability to print a list of all possible access privileges, a specific user's access privileges and comparison tables between different userIDs? | ||
User Identification and Authentication | |||
1 | Does the system support Multi-factor authentication (such as two-factor authentication) in use for access to the system or classified sensitive data? | ||
2 | Are all users allocated a unique user ID for the sole use of the individual? | ||
3 | Is access to the logging system and data restricted to privileged accounts and user profiles (e.g. root, system administrator)? | ||
4 | Are all accounts/access profiles protected with a password? | ||
5 | All default accounts and credentials must be changed or removed/disabled | ||
6 | Is there a use case for functional accounts? Is there a documented and approved list of all human users accountable and responsible for the generic and functional accounts across the OS, DB, and application | ||
System Log and Access Control | |||
1 | Does the system provide the capability to detect multiple logons from the same user ID and restrict users to one session at a time? | ||
2 | Is the number of unsuccessful log-on attempts limited to, at most, three attempts per session; afterwards the session will be terminated? | ||
3 | Does the system support automatic user locking after: i. A configurable period (for example 90 days) with no successful logins by a user and the user account is dormant ii. A configurable number of continuous unsuccessful log-on attempts targeting the same user account or originating from the same source IP address? | ||
4 | Is there a notice displayed indicating that only authorized users are allowed access to the system in accordance with any legal/corporate obligations? | ||
5 | Does the system require users to enter their passwords (after a certain period of inactivity/time-out to be defined and configured centrally) before the session can be restarted? |
For more detailed content, see the section Sample Security Guidance & Policy Documents