Difference between revisions of "Talk:End-user device encryption (MU3)"
From OpenEMR Project Wiki
(End user device does not store PHI) |
m (End user device does not store PHI) |
||
Line 10: | Line 10: | ||
Pragma: no-cache | Pragma: no-cache | ||
Expires: 0 | Expires: 0 | ||
also on https://cristian.sulea.net/blog/disable-browser-caching-with-meta-html-tags/ |
Latest revision as of 01:09, 6 November 2021
This refers to data that remains on a user's device after they log out of the program. Breaches have occurred when users had laptops stolen that were not encrypted and stored the entire database on the laptop. Since the usual access to OpenEMR is by HTTPS connection, I think all that's required is that data from the session not be cached.
There's a technical discussion of this on Stack Overflow https://stackoverflow.com/questions/49547/how-do-we-control-web-page-caching-across-all-browsers
Basically puts this on each page:
Cache-Control: no-cache, no-store, must-revalidate Pragma: no-cache Expires: 0
also on https://cristian.sulea.net/blog/disable-browser-caching-with-meta-html-tags/