Versions Compared

Old Version 2

changes.mady.by.user Srinivas Tirunahari

Saved on

compared with

New Version Current

changes.mady.by.user Srinivas Tirunahari

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Introduction

Data privacy and security are foundational to maintaining the confidentiality, integrity, and availability of sensitive information in today's digital landscape. For organizations hosting AMRIT, implementing a robust security framework is essential to safeguard data from unauthorized access, breaches, and leaks. This document outlines key best practices and technologies that organizations should adopt to enhance data security and privacy when deploying AMRIT. These recommendations cover Virtual Private Network (VPN) usage, data replication, HTTPS implementation, Role-Based Access Control (RBAC), annual Vulnerability Assessment and Penetration Testing (VAPT), secure APIs, and server hardening with firewalls.

1. VPN (Virtual Private Network)

A VPN secures data by creating an encrypted tunnel between a user’s device and a secure network. This ensures that sensitive information transmitted over the internet remains protected from interception.

AMRIT infrastructure hosted on PSMRI's on-premise servers uses SOPHOS VPN services that adhere to industry standards such as AES-256 encryption to ensure the confidentiality and integrity of data transmitted over public networks.

2. Replication

Data replication ensures the availability and integrity of data by creating copies of critical information across multiple locations.

AMRIT implements continuous replication for all critical systems and databases, ensuring that data is replicated and accessible at all times by maintaining replication servers.

3. HTTPS Everywhere

Enforcing HTTPS ensures that all data transmitted between the user's browser and the server is encrypted, preventing eavesdropping and man-in-the-middle attacks. HTTPS uses SSL/TLS encryption to secure data during transmission, making it more difficult for attackers to intercept sensitive information.

All of our public-facing websites and applications enforce HTTPS by default. We regularly audit our certificates to ensure they are up-to-date and secure.Image Added

4. RBAC (Role-Based Access Control)

RBAC restricts access to sensitive data based on user roles, ensuring that only authorized personnel have access to specific resources.

Key Points:

  • Access control: Users are granted permissions based on their role, limiting access to information based on necessity.

  • Principle of least privilege: This ensures that users only have access to the data necessary to perform their job functions.

  • Evidence: AMRIT implements a strict RBAC policy and the IT team regularly reviews user roles and permissions to minimize exposure to sensitive data. Access control logs are maintained.

5. VAPT (Vulnerability Assessment and Penetration Testing) – Annual Testing

VAPT helps identify and remediate security vulnerabilities before they can be exploited by attackers. Regular vulnerability scans identify weaknesses in the system that could be exploited. Penetration testing simulates attacks to identify vulnerabilities in applications, networks, and systems.

Our organization conducts VAPT annually, using certified third-party vendors to assess and test our systems. All identified vulnerabilities are addressed with high priority, and remediation actions are documented.

6. Secure APIs

Secure APIs are essential for protecting data and ensuring safe communication between applications.

AMRIT achieves secure APIS through:

  • Authentication and Authorization: All AMRIT APIs must require secure authentication with JWT tokens and strict access controls are enforced.

  • Encryption: All API traffic is encrypted using HTTPS to prevent interception of sensitive data.

AMRIT APIs follow industry-standard security practices, including secure tokens and proper logging of all API interactions to ensure secure data exchange between systems.

7. Hardening the servers and firewalls

Server and firewall hardening enhances system security by reducing vulnerabilities and preventing unauthorized access.

AMRIT IT team performs regular server hardening, including disabling unnecessary ports and services, applying patches promptly, and using intrusion detection systems (IDS). Firewalls are configured based on the principle of least privilege, with logging enabled to detect suspicious activity.

Conclusion

By following these recommendations, organizations hosting AMRIT can achieve a robust level of data privacy and security. Implementing VPNs, data replication, HTTPS, RBAC, VAPT, secure APIs, and server hardening ensures protection against potential breaches while maintaining the integrity and confidentiality of sensitive data. These practices not only safeguard user information but also reinforce trust in AMRIT as a secure and reliable healthcare platform

DPG

General Information

Solution name
AMRIT

...

Website

https://amrit.piramalswasthya.org/

Alternate Email Address
amrit@piramalswasthya.org

Where is your solution’s source hosted?
https://github.com/PSMRI/

Key Features of AMRIT

  • ABHA Creation & Verification: AMRIT facilitates the creation and verification of ABHA, a unique digital health ID for every Indian citizen.
  • Secure Access to Health Data: The platform ensures that access to electronic medical records is strictly based on consent, ensuring privacy and security.
  • Nationwide Unified Health Data: By integrating with ABDM, AMRIT consolidates health records from different providers into a unified digital system, promoting continuity of care and data availability across healthcare settings.
  • Consent-Based Sharing: Patients control the sharing of their medical records, ensuring data security and privacy.

SDG RELEVANCE

Which SDG/s is your solution relevant to?
SDG3: Good Health and Well-Being

How is your solution relevant to each SDG you’ve selected above?
SDG3 – AMRIT has been used across several organizations to provide primary healthcare, which includes family planning, mother-and-child care, adolescent health, NCDs, and in preventing alcoholism in rural and tribal settings within India.

  1. Open Licensing

Which open license(s) is/are used by your solution?
GNU General Public License v3.0

Provide evidence of use of the selected open license(s).
https://github.com/PSMRI/AMRIT/blob/main/LICENSE

Clear Ownership

...

Does this solution use any closed components that create proprietary dependency?
No

Documentation

Where is your solution’s documentation?

Non-PII Data Extraction

Does your solution collect or uses non-PII data and/or content?
Yes

Describe the mechanism for extracting or importing non-PII data from or into the system in a non-proprietary format.

Privacy & Applicable Laws

Provide a list of relevant privacy, domestic and other applicable international laws your solution complies with.

Provide evidence(s) of adherence with the laws mentioned above.Open Standards & Best Practices

Provide a list of the open standards your solution adheres to and demonstrate adherence.

Provide a list of best practices & principles your solution adheres to and demonstrate adherence.

9A. Data Privacy & Security Measures

9B. Security Protocols to Safeguard AMRIT Servers

AMRIT takes extensive measures to secure its servers and prevent unauthorized access or attacks:

  • Firewall Configuration: A robust SOPHOS firewall is in place to block malicious incoming traffic and protect against external threats.
  • SSL Certificates for Data Encryption: SSL certificates are used to ensure secure communication between clients and servers, safeguarding data integrity during transmission.
  • SSH Security for Server Access: SSH keys and other secure protocols are implemented to restrict access to server systems, protecting them from unauthorized administrative actions.
  • Password Management: Default passwords are strictly prohibited, and strong, randomized passwords are enforced for all internal systems, preventing unauthorized access and minimizing risk.

Amrit servers is hosting personal data & medical data for citizens & therefore must be properly protected to ensure privacy & security. Your country will likely also have laws & compliance requirements like HIPPA, GDPR, CCPA, PDP, etc. – which need to be adhered for storing citizen data. Unlike paper-based mechanisms, data from computer systems can be hacked, copied, modified or destroyed very quickly by malicious actors – and it is imperative to take server security very seriously.

...

9C. Inappropriate & Illegal Content

Does your solution collect / store / distribute content?
Content is NOT collected NOT stored and NOT distributed.

9D. Protection from Harassment

Does your solution facilitate interactions with or between users and/or contributors?
Yes

How does your solution enable users and contributors to protect themselves from harassment.
The software is not intended for underage users and is expected to be used by professionals in clinical settings. The product does not indicate any harmful intentions in its vanilla state and hence does not restrict the users from accessing

9.E Scale of Solution

Where is this solution developed?
India

...

Who else is using your solution?

Has your solution received any awards and/or recognition in the last one year?

Conclusion and Request for DPG Approval

AMRIT is designed to be a secure, reliable, and user-friendly platform for managing electronic medical records in India. With its advanced encryption, access control, and compliance with industry standards, AMRIT provides a robust foundation for ensuring the privacy and security of health data.

By securing AMRIT’s technical infrastructure and following strict protocols such as SSL encryption, SSH security, and firewall protection, we aim to ensure that sensitive health data is well protected against potential security threats. We request the approval for DPG, as we believe that AMRIT’s compliance with regulatory and security measures meets the requirements for a secure, interoperable digital health solution in India.