Securing an OpenMRS Implementation

One critical MUST-DO for any OpenMRS Implementation: Ensure no default passwords are in use (such as “Admin123”).

This is true for everything from user login credentials in the UI, through to any database, web server, container, and/or servlets you are using in production. Even standard database and server tools often come with default passwords - ensure these are changed to unique, secure passwords.

This section of the wiki contains recommendations for how to secure an OpenMRS installation beyond what is provided by the application itself.

Sections contained within this Wiki area:

Strongly Recommended Resources

NOTE: We also recommend that OpenMRS community members, especially implementers, familiarize themselves with the following highly-recommended resources:

OWASP Top 10
Secure development principles - National Cyber Security Centre
NIST Cybersecurity Standards
SOC2 Audit Guide