Security and Confidentiality

HTTPS Setup Options

Configuring HTTPS

You must set up HTTPS for your OpenMRS system. Setting up your site security certificate depends on whether you have internet connection or not. See the section on HTTPS Setup Options for this.

Access and role management

Please see…

Change Default Passwords

One critical MUST-DO for any OpenMRS Implementation: Ensure no default passwords are in use (such as “Admin123”).

This is true for multiple layers of the system:

from user login credentials in the UI,
to any database (eg tomcat),
and any web server, container, and/or servlets you are using in production.

Many standard database and server tools often come with default passwords - ensure these are changed to unique, secure passwords.

Additional Resources

Additional Community Guidance is available:

NOTE: We also recommend that OpenMRS community members, especially implementers, familiarize themselves with the following highly-recommended resources:

OWASP Top 10
Secure development principles - National Cyber Security Centre
NIST Cybersecurity Standards
SOC2 Audit Guide