Privacy and Security

Owned by John V Stoecker (Unlicensed)
Last updated: Aug 14, 2012Version comment

Security Architecture

Currently, front end 'security' is only for cosmetic purposes. A user who logs only sees those modules they are permitted to see.

If a user somehow hacks localstorage + javascript and sees modules they don't have access to, but can't use them (because they don't have appropriate back end permissions to view patients/create lab orders/etc), then that isn't a major concern.

If this is a major concern however, we can encrypt the permissions in localStorage, and sign our javascript files to make sure they haven't been tampered with.

User Authentication

A user will be required to log in:

  1. Before each use (don't save login between sessions)
  2. After a set amount of time, such as 4 hours

Currently, we use basic authentication as a placeholder.

Our requirements for authentication + communication are:

  1. Users are only able to log in with correct user/password
  2. Comunication is encrypted between client and server
  3. Not vulnerable to man in middle attacks/spoofed server/

Our options for authentication in v1.0:

  1. OAuth + SSL
  2. 2-way SSL
  3. other authentication options

Log in Process