Re: [Oscarmcmaster-bc-users] internet access
open source web-based Electronic Medical Record (EMR) system
Brought to you by:
davidhcchan,
jaygallagher
From: Dan B. <mai...@fu...> - 2008-05-22 15:14:05
|
I intend to reply in detail to Colleens request a little later. Anyway, no matter what form or how many layers of security you use, if you access OSCAR from a public computer, security becomes a moot point. The point: just don't access OSCAR from a public computer. Access OSCAR from your work, home or mobile computers only. If you stick to this all you really need is the SSL encryption. Though I highly recommend VPN (ipsec) and it's easy to install on all operating systems. I believe the 2nd level pass code is for allowing only certain people access to OSCAR remotely. I can't see how it helps in a second level layer of security. Dan On Thu, 2008-05-22 at 07:48 -0700, James Busser wrote: > On 21-May-08, at 10:01 PM, my fly wrote: > > > Luckily, accessing your (seasonably secured) Oscar can be easier > > than this. With a USB stick, you will be able to access Oscar > > through a firewall with just a few clicks. > > Possible configurations would be > > 1) when working within the same network as your Oscar server... > presumably in the office > > - user id + just one password > > 2) when accessing Oscar from "away" (anywhere that the server is not) > > - user id + just one password *plus* one of the following > > a) if from known-in-advance, trusted locations (e.g. home) can simply > have your static or dynamic IP programmed into the firewall > protecting Oscar > > - once this has been set up, you would not need to do anything more > than enter your userid and password > > b) unknown / untrusted locations (e.g. traveling, or laptop in mobile > cafe, or from friend's home) > > - USB key (recommend Yubikey) or RSA SecurID / Verisign credit card > or football-style token. However I believe that your Oscar vendor/ > maintainer would need to set up a software layer called > "PAM" (password authentication module) in order for your server to be > able to determine what it is supposed to require before permitting a > connection, as well as how it is supposed to "understand" what is > coming from the USB key or other "token". This includes such things > as the location of "home" which the token needs to "call" through the > server, whether that "home" is the company which sold the token, or > whether some other entity (like Vancouver Coastal or MOH HIAL) had > committed to serve this function. > > - others have suggested VPN, however VPN as I understand it can > require extra software, may or may not allow you to use a guest > computer if special software on that computer is required, may > require that you use an additional password, and may be subject to > keylogger replay attacks. Others may like to clarify. > > Note: I had not wished to offend, but Oscar's "two password" design > does not add anything significant other than to confuse the users > (because the design is an awkward means to configure whether or not > people are permitted to connect from home) and also hassles the users > to have to remember a second password, without the second password > adding adequate/sufficient security. People who are connecting from > away should really be using 2a) or 2b) since in the event of breaches > you would have been considered to be using inappropriate measures to > protect patients' health information. In the meantime, for people who > are connecting insecurely --- without 2a) or 2b ---, the two > passwords together really only offer a bit more protection than a > single, stronger password. I don't want to debate the math. The Oscar > two-password approach really should be *retired* ! :-) > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > Oscarmcmaster-bc-users mailing list > Osc...@li... > https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-bc-users > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. |