Got feedback or spotted a mistake?

Leave a comment at the end of this page or email contact@krishagni.com

Security considerations

Owned by Srikanth Adiga
Last updated: May 16, 2023 by Srikanth Adiga


Overview

OpenSpecimen is a Java Spring and REST API-based application. It is designed to handle highly sensitive data such as patient identifiers, demographics, clinical information, images, test results, etc. This document explains the security considerations used in OpenSpecimen to achieve this.

Latest technology stack

OpenSpecimen is built using the latest versions of all the technology platforms used internally. This includes Tomcat, Apache, Oracle, MySQL, Java, etc.

HTTPS/SSL

OpenSpecimen uses TLS2/3 SSL-enabled webserver to encrypt data over the network.

Authentication

OpenSpecimen has an in-built user management module. Customers can integrate OpenSpecimen with their institution's identity provider (e.g., Active Directory) via SAML or LDAP for tighter security. This will also avoid users having to remember multiple user names and passwords.

Password protection

Note: This does not apply if user accounts are integrated with the Customer's Identity Providers (IdP).

Where N is configured as per the Customer's needs. 

  • Password should be of length N characters (default 8)
  • Password complexity defined via RegEx as per customer needs (default: one capital, one number)
  • Cannot be the same as the last N passwords
  • Password expiry every N days
  • Passwords are never emailed in free text
  • Passwords are stored in a one-way encrypted format

Account Protection

Where N is configured as per the Customer's needs. 

  • Accounts are locked after N failed attempts
  • Accounts are locked after N days of inactivity

PHI Handling

PHI data is displayed only to users who have specific privileges.

Audit

Login Audit

Every login and logout session is recorded, including failed login attempts. 

Data Audit

Every action resulting in changed data is audited (i.e., create, edit, delete). The audit information contains:

  1. Timestamp
  2. User id
  3. IP address
  4. Record id
  5. In the case of edit: old value and new value

Audit reports can be generated via UI.

Reporting Audit

Every time a user runs a report, a log is maintained, which includes information like:

  1. User ID
  2. Timestamp
  3. Report ID
  4. Internal SQL generated
Got feedback or spotted a mistake?

Leave a comment at the end of this page or email contact@krishagni.com