Implementation of the UgandaEMR: Results of a Security Assessment


PDF document icon tr-20-413.pdf — PDF document, 369 kB (377,921 bytes)

Author(s): MEASURE Evaluation

Year: 2020


MEASURE Evaluation. (2020). Implementation of the UgandaEMR: Results of a Security Assessment. Chapel Hill, NC, USA: MEASURE Evaluation, University of North Carolina.
Implementation of the UgandaEMR: Results of a Security Assessment Abstract:

The United States Agency for International Development (USAID), the United States President’s Emergency Plan for AIDS Relief (PEPFAR), and the United States Centers for Disease Control and Prevention (CDC) have all contributed significant funding to the development and implementation of electronic medical records (EMRs) to support the capture of patient medical data. Using USAID’s Software Global Goods Valuation Framework, it has been estimated that the total development cost for development of OpenMRS—a widely used open-source EMR system—is roughly $8 million (Center for Innovation and Impact, 2019). The increased demand for patient-level data needed to achieve epidemic control of HIV and for other health monitoring has caused a shift from using EMR software for retrospective data entry to real-time point-of-care systems.

As these systems move from a single computer to interconnected computers at multiple sites, the need for improved security has become more critical. Security guidelines, such as International Standards Organization (ISO) 2700 and National Institute of Standards and Technology (NIST) 800, are burdensome to use as assessment tools in these settings. Instead, implementing partners (IPs) in low-resource settings require tools that can be tailored to their circumstances so they can continuously assess the privacy and security of the health information systems they manage.

PEPFAR asked the USAID- and PEPFAR-funded MEASURE Evaluation project to develop an assessment tool to address this issue. We took high- and moderate-impact priority controls from NIST 800, ISO 2700, and the Health Insurance Portability and Accountability Act and adjusted them to be practical in a low-resource setting. We then used the tool to conduct a security assessment. This was a step-by-step process involving questionnaires, in-person assessment and verification, and automated security testing tools.

USAID chose the UgandaEMR system for us to assess because it uses the most recent reference implementation of OpenMRS—version 2.9—and because it is being widely used at more than 1,000 facilities in Uganda. The Monitoring and Evaluation Technical Support (METS) Program, at the Makerere University School of Public Health, acts as the above-site mechanism to support the development and implementation of UgandaEMR, and numerous IPs; their subgrantees oversee the day-to-day use and maintenance. The assessment team visited six sites representing a range of IPs and donors as part of this assessment.

UgandaEMR was determined to be a moderate-impact system based on three criteria: confidentiality, integrity, and availability. The assessment found gaps in all the control areas, although there was some variation between facilities. The recommendations to address and mitigate the gaps were identified though prioritization, and their implementation will vary by IP based on available resources and relevant risk.

Filed under: EHR , Health data , Health information , Uganda