Table of Contents | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
|
Latest technology stack
OpenSpecimen is built using the latest versions of all the technology platforms used internally. This includes Tomcat, Apache, Oracle, MySQL (or MySQL), Java, VueJS, etc.
HTTPS/SSL
OpenSpecimen supports (and highly recommends) using SSL use an SSL-enabled webserver to ensure encrypting encrypt data over the network.
User account security
Organizational Single Sign On (SSO)
This enables users to login into OpenSpecimen using their organizational credentials. It also ensures only active organizational users can access OpenSpecimen. You can configure one or more Identity Providers (IdP) to authenticate users in OpenSpecimen.
Currently, we support LDAP and SAML-based authentication, apart from the in-built user module of OpenSpecimen.
Two-factor authentication
Two-factor Authentication enables OpenSpecimen customers to implement an additional security layer to protect user accounts from being hacked. When 2FA is configured, users will need to must enter an additional One Time Password (OTP) along with the username and password.
This is a system-level configuration and applies to all the usersonly to local accounts (i.e., non-SAML/LDAP accounts).
Password encryption
User passwords for local accounts are stored in the MySQL database. To protect the user passwords, OpenSpecimen uses bcrypt
to hash the user passwords before storing them in the database.
Application features
Password protection
Note: This does not apply if user accounts are integrated with the Customer's Identity Providers (IdP).
...
Where N is configured as per the Customer's needs.
Login Audit
Every login and logout session is recorded, including failed login attempts. . Refer to Other Audit Reports for more details.
Data manipulation audit
Every action that results resulting in changed data being changed is audited (i.e., create, edit, delete). The audit information contains the following:
Timestamp
User id
IP address
Record id
In the case of edit: old value and new value
Currently, audit reports will have to be generated either directly from the database or via REST API calls. There is no user interface for the same. Building a UI driven audit reporting module is present in our product roadmapRefer to Audit Logs for more details.
Reporting audit
Every time a user runs a report, a log is maintained, which includes information likeThe system maintains an audit log for every report run. The audit information contains the following:
User ID
Timestamp
Report ID
Internal SQL generated
Refer to Other Audit Reports for more details.
PHI data security
Across the globe, the security of PHI data is a matter of concern. There are many strict rules (e.g. HIPAA in the USA, GDPR rules in Europe, etc.). OpenSpecimen provides features to make clients compliant with these rules.
Restricted access to PHI
OpenSpecimen supports restricting access to data based on
Collection Protocol
Site
Hierarchy of user roles (Admin > Tissue Banker > Technician > Researcher)
With right combinations of the above 3 parameters, every user will be able to see only part of data entitled to them. This applies to all modules within OpenSpecimen. Ability to Create/ Edit/ Delete etc. can also be restricted via roles.You can restrict users from viewing PHI data by giving the “Participant (DeID)” privilege.
Data shared via emails
All the email notifications received by end users can be configured not to show any PHI data. As a general rule, user gets emails for the work concerning himPHI data is not included in any emails. To download any data, the user is provided a link, and he/she has to log in to OpenSpecimen to download the data.
Please refer to this wiki page to know more about when email notifications are generated and sent to users for more details.
Administrator emails
Administrator email address: Email address is mentioned in Settings --> ‘Administrator Email Address'. All the emails in the systems are CC’d to this email.
IT admin: IT admin email address is mentioned in Settings --> IT administrator email address. This email address is optional and receives notifications for uncaught system errors. This usually do not contain any PHI data.