Most EMR providers (both commercial and OpenEMR) talk about receiving faxes for their EMR from an eFAX service. There are two significant problems with this. eFAX services can get expensive if you have high volume Faxing as many physician offices have. And, most important, eFAX services send fax via email in a non-encrypted manner -- huge HIPAA issue!
What I would like to do in my office, is something that I think most offices would need/want to do:
I would like to have a linux box with Hylafax installed and connected to a modem to receive Faxes over the telephone line. Then, have this linux box send faxes to and from OpenEMR over the internet hosted in the cloud. And, of course, do this in an encrypted manner.
After review of Rod's Fax code, it looks like OpenEMR does not really fully support this. It looks like it only fully supports Hylafax if it is on the same server that OpenEMR is on. Let me know if I am wrong!
The current code does allow you to access a remote host with the FAXSTAT command. However, it does not do this with the SENDFAX command. Therefore, you can send to a remote host but not receive. Also, you will need to figure out what ports FAXSTAT uses so that you can open them on your router.
Additionally, the current code accesses the fax images from local directories an not remote ones. I guess that you could create NFS mounts/shared directories to access the directories on a remote server, but then this adds a lot of complicated work that could be avoided if the feature were built in to OpenEMR.
I would like to get feedback about the viability of my proposal on how I would implement this.
There are a couple of possible approaches that I could take. The following one is the easiest:
(1) Communicate with the Fax server via SSH protocol.
(2) Transfer files via sFTP.
This has the advantages of allowing you to directly communicate with the fax server in an encrypted manner and that we would not have to do any big changes to the current code.
(4) Rather than worrying about creating remote mounts, we can access the remote Hylafax directories (that contain the FAX images) by sending and receiving files using the PHP command ssh2_sftp (See: http://php.net/manual/en/function.ssh2-sftp.php.)
What do people think about this?
Is SSH a realistic option? Are there security issues with allowing SSH access from OpenEMR to the remote linux box? Will it be OK to open the SSH ports to the router? Should SSH be routed via a nonstandard SSH port in case other machines in the office need to be accessed via SSH?
Is sFTP a secure method for transferring files? Or, should FTP with SSL be used?
David Eschelbacher MD
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
The approach I'd suggest is to write a "web service" application at the fax server end, and access it from OpenEMR via HTTPS using the PHP cURL functions. This would be a clean method using existing protocols, not anything that a router or ISP might be blocking. I'm using this method with another project. You'll need to add some sort of password checking or other authentication of the client.
By the way Kevin's Computerworld article is a serious reminder to be very careful in following HIPAA privacy rules. No doubt the feds are going to raise a lot of money like this.
I do find your articles interested, but not really relevant or useful for my post.
(1) Professionals Are Better -- I find this condescending
I say "not necessarily all of the time". In your article, the security hole was due to a flaw in the network managed by "professionals" at Columbia U and NY Presbyterian. If it was an issue of just an error in one computer, there probably would not have been a fine, but it was a system problem. "neither CU nor NYP had implemented adequate security protections". So, are you saying that amateurs at CU and NYP were creating their network?
How many vendors use insecure eFAX to send FAX images to EMRs? Well, hate to burst your bubble, but many commercial vendors and a few OpenEMR vendors follow this model. These are "professionals".
(2) SSL Weaknesses
I prefer not to use SSL. I prefer to use sFTP over using FTP with SSL. Therefore, based on your comment, is sFTP, which is based on SSH protocol better than SSL. I would like an answer to the question if both are equally adequate for security, or is one better than the other and why.
Doesn't OpenEMR use SSL for security, and many other websites for that matter? Therefore, it can't be too bad. Based on your article, should we not use SSL for OpenEMR? What alternative do we have?
I would love for you to address my post. I know that you have the knowledge and expertise for constructive feedback, but your responses did not do this. I also acknowledge that your computer knowledge blows mine away, I would be so much in your debt if you shared some of it with me.
David Eschelbacher MD
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Your proposal sounds very interesting. It is a little more complicated than I was proposing, and involves more research and learning on my part in regards to how to use cURL and create a web service application.
I looked at PHP.net for some curl examples, but they were not specific enough.
Do you know of any sample code on the top of your head that you could point me to?
Is the project that you are working on related to OpenEMR?
David Eschelbacher MD
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
On the web, I found a lot of examples of how to use cURL and send authentication with cURL (which I call the "client" end). I like your suggestion to communicate with json.
Most of the samples on the web and your sample deal with the "client" end and not on the "server" end -- the part that processes the cURL request from the remote website.
I think that I can figure out how to process the post.
However, the part that I am having trouble with is how to implement SSL security.
Do you have any code samples and suggestions about how to handle the security via PHP on the "server" end? Can this be done in a simple manner?
David
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi David, you can configure the web server (e.g. Apache) to take care of SSL (HTTPS). No programming required. You'll need a domain/host name, and then you can buy a cheap commercial certificate from some place like namecheap.com. Certificate vendors will generally provide instructions for various web servers.
EDIT: That gets you encryption. For authentication the easy thing to do is include a username and password along with the other POST variables in the request. As long as you're using SSL they will not be subject to snooping. You could also configure Apache to accept only IP addresses that you know are entitled to access the server.
I am already familiar with configuring Apache and getting an SSL certificate (because I have already done this.)
Thanks for the link to namecheap.com -- it looks like they have extremely competitive pricing on certificates. Does it matter where I get the certificate from?
I thought that I needed to do something with the PHP code to ensure security. I did not realize that the web browser/server handles this automatically (as long as web server is configured for such.)
If you pass a url to the PHP cURL function that starts with "http://", my guess is that it won't be encrypted, right?
But, if you pass a url to the PHP cURL function that starts with "https://", then everything is encrypted automatically. Is this correct?
I am also curious, if Apache is not configured to activate SSL and it gets a URL that starts with "https://", does it reject it, or does it process it in a non-encrypted manner?
David
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
If all you do is implement HTTPS for your system it certainly won't be HIPAA compliant, as HTTPS only handles the "transport layer," which is a necessary, but not sufficient piece of the security puzzle.
This HTTPS/cURL protocol is exactly what the "Off-site" portal uses for communications. However, the initial implementation of it's SOAP interface allowed arbitrary execution of queries which would have been a serious liability if Brady had not recognized the vulnerability as part of code review.
Proper security is not simply a "check list" of protocols.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Kevin I don't think anyone is trying to ignore HIPAA requirements, it's just that David is still figuring out the underlying tools and methods. I agree it will be interesting to get into the HIPAA stuff, and like to encourage users to write code and thereby better understand what's going on.
But I'm glad you mentioned the risks of web services. Note that I recommended offering them from the fax server side, not the OpenEMR side. Better, I think, for the "less sensitive" system to be accepting connections from the outside world.
My comment is a specific example regarding David's query:
I thought that I needed to do something with the PHP code to ensure security. I did not realize that the web browser/server handles this automatically (as long as web server is configured for such.)
Was not properly addressed in the past. Lots needs to be done with PHP code to ensure security, and even professionals are getting it wrong sometimes.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Most EMR providers (both commercial and OpenEMR) talk about receiving faxes for their EMR from an eFAX service. There are two significant problems with this. eFAX services can get expensive if you have high volume Faxing as many physician offices have. And, most important, eFAX services send fax via email in a non-encrypted manner -- huge HIPAA issue!
What I would like to do in my office, is something that I think most offices would need/want to do:
I would like to have a linux box with Hylafax installed and connected to a modem to receive Faxes over the telephone line. Then, have this linux box send faxes to and from OpenEMR over the internet hosted in the cloud. And, of course, do this in an encrypted manner.
After review of Rod's Fax code, it looks like OpenEMR does not really fully support this. It looks like it only fully supports Hylafax if it is on the same server that OpenEMR is on. Let me know if I am wrong!
The current code does allow you to access a remote host with the FAXSTAT command. However, it does not do this with the SENDFAX command. Therefore, you can send to a remote host but not receive. Also, you will need to figure out what ports FAXSTAT uses so that you can open them on your router.
Additionally, the current code accesses the fax images from local directories an not remote ones. I guess that you could create NFS mounts/shared directories to access the directories on a remote server, but then this adds a lot of complicated work that could be avoided if the feature were built in to OpenEMR.
I would like to get feedback about the viability of my proposal on how I would implement this.
There are a couple of possible approaches that I could take. The following one is the easiest:
(1) Communicate with the Fax server via SSH protocol.
(2) Transfer files via sFTP.
This has the advantages of allowing you to directly communicate with the fax server in an encrypted manner and that we would not have to do any big changes to the current code.
(3) If the server is remote, access it using the PHP commend ssh2_exec. (Currently, it uses the PHP command exec.) See: http://php.net/manual/en/function.ssh2-exec.php.
(4) Rather than worrying about creating remote mounts, we can access the remote Hylafax directories (that contain the FAX images) by sending and receiving files using the PHP command ssh2_sftp (See: http://php.net/manual/en/function.ssh2-sftp.php.)
What do people think about this?
Is SSH a realistic option? Are there security issues with allowing SSH access from OpenEMR to the remote linux box? Will it be OK to open the SSH ports to the router? Should SSH be routed via a nonstandard SSH port in case other machines in the office need to be accessed via SSH?
Is sFTP a secure method for transferring files? Or, should FTP with SSL be used?
David Eschelbacher MD
SFTP is the same as FTP through and SSH tunnel.
That said: please consider this article.
http://www.computerworld.com/s/article/9248205/IT_malpractice_Doc_operates_on_server_costs_hospitals_4.8M
And think about hiring a professional rather than trying to roll your own security.
And more food for thought:
SSL one of the mechanisms you are considering using has already been cracked
http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/
I could continue to run through TLA jargon, but I don't think that would provide sufficient education.
this site seems helpful for further TLA concerns:
https://www.howsmyssl.com/
Thanks for the quick diagnostic.
It's no longer possible to check in Firefox, Preferences.
Last edit: fsgl 2014-05-12
The approach I'd suggest is to write a "web service" application at the fax server end, and access it from OpenEMR via HTTPS using the PHP cURL functions. This would be a clean method using existing protocols, not anything that a router or ISP might be blocking. I'm using this method with another project. You'll need to add some sort of password checking or other authentication of the client.
By the way Kevin's Computerworld article is a serious reminder to be very careful in following HIPAA privacy rules. No doubt the feds are going to raise a lot of money like this.
Rod
http://www.sunsetsystems.com/
Re: Kevin's Comments
I do find your articles interested, but not really relevant or useful for my post.
(1) Professionals Are Better -- I find this condescending
I say "not necessarily all of the time". In your article, the security hole was due to a flaw in the network managed by "professionals" at Columbia U and NY Presbyterian. If it was an issue of just an error in one computer, there probably would not have been a fine, but it was a system problem. "neither CU nor NYP had implemented adequate security protections". So, are you saying that amateurs at CU and NYP were creating their network?
How many vendors use insecure eFAX to send FAX images to EMRs? Well, hate to burst your bubble, but many commercial vendors and a few OpenEMR vendors follow this model. These are "professionals".
(2) SSL Weaknesses
I prefer not to use SSL. I prefer to use sFTP over using FTP with SSL. Therefore, based on your comment, is sFTP, which is based on SSH protocol better than SSL. I would like an answer to the question if both are equally adequate for security, or is one better than the other and why.
Doesn't OpenEMR use SSL for security, and many other websites for that matter? Therefore, it can't be too bad. Based on your article, should we not use SSL for OpenEMR? What alternative do we have?
I would love for you to address my post. I know that you have the knowledge and expertise for constructive feedback, but your responses did not do this. I also acknowledge that your computer knowledge blows mine away, I would be so much in your debt if you shared some of it with me.
David Eschelbacher MD
A properly secured OpenEMR server would only accept TLS 1.2 for connections and not accept any version of SSL or even older versions of TLS.
Rod,
Your proposal sounds very interesting. It is a little more complicated than I was proposing, and involves more research and learning on my part in regards to how to use cURL and create a web service application.
I looked at PHP.net for some curl examples, but they were not specific enough.
Do you know of any sample code on the top of your head that you could point me to?
Is the project that you are working on related to OpenEMR?
David Eschelbacher MD
Hi David, here you go.
if (($phandle = curl_init($server_url)) === FALSE) { die("Unable to access '$server_url'."); } curl_setopt($phandle, CURLOPT_POST , TRUE); curl_setopt($phandle, CURLOPT_RETURNTRANSFER, TRUE); curl_setopt($phandle, CURLOPT_POSTFIELDS , $args); if (($presult = curl_exec($phandle)) === FALSE) { die("curl_exec($phandle) failed."); } curl_close($phandle); if (($result = json_decode($presult,TRUE)) === NULL) { die("json_decode('$presult',TRUE) failed."); } return $result;In this case $args is an associative array of POST names/values, and the response data from the server is a JSON-encoded array. Easy!
Yes my project is for OpenEMR, it's the WordPress portal.
Cheers,
Rod
http://www.sunsetsystems.com/
Hi Rod,
Thanks for your code sample.
On the web, I found a lot of examples of how to use cURL and send authentication with cURL (which I call the "client" end). I like your suggestion to communicate with json.
Most of the samples on the web and your sample deal with the "client" end and not on the "server" end -- the part that processes the cURL request from the remote website.
I think that I can figure out how to process the post.
However, the part that I am having trouble with is how to implement SSL security.
Do you have any code samples and suggestions about how to handle the security via PHP on the "server" end? Can this be done in a simple manner?
David
Hi David, you can configure the web server (e.g. Apache) to take care of SSL (HTTPS). No programming required. You'll need a domain/host name, and then you can buy a cheap commercial certificate from some place like namecheap.com. Certificate vendors will generally provide instructions for various web servers.
https://httpd.apache.org/docs/2.2/ssl/
EDIT: That gets you encryption. For authentication the easy thing to do is include a username and password along with the other POST variables in the request. As long as you're using SSL they will not be subject to snooping. You could also configure Apache to accept only IP addresses that you know are entitled to access the server.
Rod
http://www.sunsetsystems.com/
Last edit: Rod Roark 2014-05-13
Hi Rod,
I am already familiar with configuring Apache and getting an SSL certificate (because I have already done this.)
Thanks for the link to namecheap.com -- it looks like they have extremely competitive pricing on certificates. Does it matter where I get the certificate from?
I thought that I needed to do something with the PHP code to ensure security. I did not realize that the web browser/server handles this automatically (as long as web server is configured for such.)
If you pass a url to the PHP cURL function that starts with "http://", my guess is that it won't be encrypted, right?
But, if you pass a url to the PHP cURL function that starts with "https://", then everything is encrypted automatically. Is this correct?
I am also curious, if Apache is not configured to activate SSL and it gets a URL that starts with "https://", does it reject it, or does it process it in a non-encrypted manner?
David
Hi David,
Yes it could matter where you get the cert from. I've had good luck with their RapidSSL offering.
True, https specifies encryption and http does not. For more about that see:
https://en.wikipedia.org/wiki/HTTPS
Apache will not automatically switch from https to http. You can configure it to accept either or both, or to redirect from one to the other.
I hope this helps.
Best,
Rod
If all you do is implement HTTPS for your system it certainly won't be HIPAA compliant, as HTTPS only handles the "transport layer," which is a necessary, but not sufficient piece of the security puzzle.
This HTTPS/cURL protocol is exactly what the "Off-site" portal uses for communications. However, the initial implementation of it's SOAP interface allowed arbitrary execution of queries which would have been a serious liability if Brady had not recognized the vulnerability as part of code review.
Proper security is not simply a "check list" of protocols.
Kevin I don't think anyone is trying to ignore HIPAA requirements, it's just that David is still figuring out the underlying tools and methods. I agree it will be interesting to get into the HIPAA stuff, and like to encourage users to write code and thereby better understand what's going on.
But I'm glad you mentioned the risks of web services. Note that I recommended offering them from the fax server side, not the OpenEMR side. Better, I think, for the "less sensitive" system to be accepting connections from the outside world.
Rod
http://www.sunsetsystems.com/
My comment is a specific example regarding David's query:
Was not properly addressed in the past. Lots needs to be done with PHP code to ensure security, and even professionals are getting it wrong sometimes.
True.
Rod