Install OSCAR

Installing OSCAR

How to install OSCAR electronic medical record system as a Linux KVM virtual machine

[This is a part of a series on self-hosting OSCAR. Start by reading the first article.]

Prerequisites:

  • Read: Hypervisor Host Server
  • You have a server installed with Linux KVM
  • You are using Virtual Machine Manager (virt-manager) to create and manage your Virtual Machines (you can also use command line, but its a lot harder)
  • You have bridge networking enabled on your server
  • You have downloaded the ISO file for Linux – Ubuntu Server and copied to your host server.
Step 1: Manage your Hypervisor Server

If you followed the previous instructions on setting up a baremetal hypervisor server with Linux KVM, you can now start to access your host server and create guest Virtual Machines (VM) of which OSCAR can be one of them.

You have different options on accessing your host server:

Option A: Directly on the server

If you have a monitor, keyboard and mouse directly attached to the server, you can log in to the server by typing in your username and password.

Then enter the XFCE graphical user interface:

$ startx

Start the Virtual Machine Manager by accessing it in the Menu -> System Tools -> Virtual Machine Manager

or by starting a terminal session and typing:

$ virt-manager &
Option B: SSH to your server

SSH is a protocol of securely accessing the server through an encrypted channel. It allows you to connect to the server from another computer or location.

Use your favourite SSH program and ssh to the server IP. You can consider downloading and use SmarTTY.

Run the program and click on “Setup a new SSH Connection…”

Create a new connection profile:

Change the IP Host Name, and server User name for what applies to your situation.Click “Connect” You should be connected to your server now. You can run Linux command lines or start the Virtual Machine Manager:

$ virt-manager &

Note: The “&” backgrounds the command (it runs the command in the background and lets your continue to work at the command line)

Copy the latest Ubuntu Server ISO to the host server

Download the latest Linux Ubuntu Server and copy it to your host server home directory ~/ such as “/home/administrator”.

If you are using SmarTTY, you can go to menu “SCP -> Upload a file”.

Upload a File with SCP

Local file name: find the ISO file that you downloaded own your computer

Remote directory: /home/administrator

(* Or whatever your administrator username is)

Click Upload.

* If you run in to problems and get error messages, it means you are trying to upload to a directory that your username does not have permissions to access. Please check that you are uploading to your home directory.

Step 2: Create a virtual disk

Once you have Virtual Machine Manager running, start by creating a virtual disk which you will install Linux server and then OSCAR.

Edit menu -> Connection Details -> Storage tab

Click on “New Volume”.

Name the virtual disk file whatever you want “oscar-server.img”.

Choose Format: qcow2

Max Capacity: 50 GB (or any size you want)

Allocation: 50 GB

Click “Finish”

* Choosing qcow2 format allows you to expand the virtual disk later when you run out of room.

Step 3: Create a virtual machine

Inside Virtual Machine Manager, click on the icon “New”.

Give a name to your virtual machine, ie. “OSCAR”

Choose “Local install media (ISO image or CDROM)”.

Click Forward.

Choose “Use ISO image” and browse to find the ISO image of Linux Ubuntu Server.

Choose OS Type “Linux” (Find the closest version that matches, otherwise choose the highest Ubuntu version shown)

Click Forward.

Enter an amount of Memory: 2000 MB (or more if you like)

Enter how many CPU you want to assign to this VM: 2

Click Forward.

Select “Select managed or other existing storage”, click Browse and select your previously created virtual disk “oscar-server.img”, click “Choose Volume”

Click Forward.

You may adjust the setting before booting up the virtual machine by checkmark enable “Customize configuration before install”.

Click the “Advanced Options” arrow to thos the ethernet device to use. Choose the bridge network that you created previously, or use “Specify shared device name” and type in the name of the bridge network that you created previously, ie. Bridge name: br0

* Write down the MAC address of this virtual network interface. You should create a fixed IP address attached to this MAC address on your router, so you can know where to access your OSCAR server later.

Click Finish.

If you entered “Customize configuration before install” you can make some final changes and then click the icon ‘Install”.

The virtual machine server should show a window and start the Linux Ubuntu install process. Go through he same process (as explained in a previous post on installing Linux) and install a basic Linux server.

Some considerations when installing this Linux server for OSCAR:

  • Consider using full disk encryption using LVM-LUKS. This protects your OSCAR virtual disk data in case someone steals the server.
  • However, if you choose to encrypt the whole disk, you will need to be able to access the server console directly (or via SSH and the graphical Xming server) to type in the administrator password before you can boot up the OSCAR server. This may be an issue, if you experience power outages and the server restarts. Or if you shut down the server on purpose for maintenance, you will need to remember to check if OSCAR virtual machine is running and if the administrator password was typed in to continue the boot up sequence.
  • It will also be complicated if you run out of space and you want to expand the qcow2 disk that holds the encrypted LVM-LUKS system. If you used just a simple qcow2 disk, it is easier to expand the virtual disk, if you run out of space.
Step 4: Install OSCAR deb

Now that you have installed a bare Linux server with Ubuntu server in a virtual machine, you can now follow Peter HC’s instructions and install the latest OSCAR deb.

Download the latest OSCAR deb to the OSCAR virtual machine, and install OSCAR via his instructions:

Instructions on installing OSCAR 19

 

Hypervisor Host Server

Hypervisor Host Server

Setting up host Linux KVM virtualization server

[This is a part of a series on self-hosting OSCAR. Start by reading the first article.]

Before you start installing OSCAR or any other server applications, consider using a virtualization platform. Virtualization uses a host server that manages various guest servers. There are many options out there to choose from, such as VMware, Windows Hyper-V, Oracle VM VirtualBox, Proxmox VE, Linux KVM, or even Mac Parallels. Consider using an open source virtualization platform such as Proxmox VE and Linux KVM.

Virtualization allows you to save time, money and hardware. It allows for easier hardware management, without the need to reinstall the server software each time you want to upgrade hardware. Instead of installing one server application on one hardware server, you can set up one main server that acts as the hypervisor, on which you can install individual guest servers as virtual machines that run within the host hypervisor. For example, if you set up OSCAR as a virtual machine, the entire OSCAR can be encapsulated on a single image/container file. You can startup or shutdown the OSCAR image without ever having to physically turn off your actual server hardware. If you packed your physical host server with lots of CPU, hard drives, and RAM to start, you can then divvy up how much of these resources to OSCAR and how to much to another server (ie. Windows Server, email server, webserver etc). You can reassign and reallocate CPU cores, RAM, and other hardware resources at will. If you need to move to another more powerful server, it is as simple as copying over the virtualized image/container file. You can also make copies of the server, and test out any changes for practice, before you commit to any actual real changes on the live server.

Examples of other virtual servers running on the hypervisor server:
  • pfSense (virtual firewall appliance)
  • Windows Server: Active Directory, File Server, Remote Desktop environment
  • OSCAR electronic medical record system
  • Hylafax (fax server)
  • Owncloud/Nextcloud (private Dropbox/Google Drive like file server)
  • Asterisk/FreePBX (VoIP PBX system)
  • LDAP server
  • MySQL server
  • ZoneMinder (security system DVR)
  • OpenVPN (VPN server)
  • Zimbra (email server)
  • UCS Univention Corporate Server
  • Xibo (digital signage)
  • WordPress/Joomla/Drupal (web page server)
  • Any test copies of servers

Linux KVM Virtualization Host Server

Setting up the Linux bare metal (Type 1 hypervisor) host server

Before you set up the server, you need to buy a physical server. There are alot to choose from and depending on your needs, it can range from a few  hundred dollars to several thousand dollars. Once you have bought a server that fits your current needs (you can always upgrade to better server later, and easily since with virtualization, you can just move the image/container file), come back to this article on setting up the virtualization server.

Read: Choosing Server Hardware

There are three main server operating systems: Windows, Mac OS or Linux. The majority of the Internet runs on some form of Linux. There are many flavours of Linux, some are commercial, some are open source. The most popular Linux server distributions are: Ubuntu, Red Hat, SUSE, CentOS, Debian, and Oracle Linux. Choose a Linux distribution that works for you. Many big companies also use Red Hat or CentOS. We find Ubuntu Linux the easiest to use.

If you decide to use Proxmox VE as the baremetal hypervisor, then you can skip this section on Linux KVM Virtualization Host Server.

However, here is an example of how to set up Linux KVM on an Ubuntu Server. We install from scratch because it allows you minimize the host server resources (limiting waste and reserving more resourcs for the guest server), and also to reduce the attack surface for vulnerabilities and insecurities.

Step 1: Download Ubuntu Server LTS (Long Term Server)

Go to Canonical’s Ubuntu website and download the latest ISO image.

Burn the ISO to a DVD or make a bootable USB stick with a utility like BalenaEtcher.

Step 2: Enable Virtualization hardware in the BIOS of the server.

If you bought a CPU with VT-x or AMD-V, then you can run virtual servers on one machine. Determine the key to press in order to enter the BIOS screen for the motherboard by Googling the manufacturer name and “BIOS”. Turn on the computer and press the key to enter the BIOS (usually Esc or one of the Function keys). Find the option that says “Intel VT-x” or” Intel Virtualization Technology” or “AMD-V” or “Virtualization Extensions” and enable it. This option may be under a submenu under Processor, or Chipset, or Advanced CPU Configuration or Northbridge. One you have enabled the option, “Save the settings to CMOS and Exit the BIOS”.

Step 3: Install the server with the Ubuntu DVD or bootable USB stick.

You may need to enter the BIOS again and enable the “Boot Order” so the server computer can boot with the DVD drive or a USB. Otherwise, the BIOS may only allow booting from the hard drives (security feature). You can disable this after you finish installing the server.

There are many great online tutorials on how to install Ubuntu Server. Follow these tutorials and customize your installation with the following considerations:

Customization Considerations:

  • Install the baremetal hypervisor server on to a separate SSD (you can hardware RAID that if you are extra careful) that is different than your main RAID hard drives that will store your virtual machines and other files. This way, if you need to replace the much used hard drives, you don’t need to to reinstall the bare metal server.
  • Partition your installation with separate root, boot, mount, and swap partitions:
    • /boot =  1 GB (ext4 file system)
    • swap = 2 GB (if you have lots of RAM, you don’t need much swapfile space)
    • /mnt = 100 MB (ext4 file system) * This prevents backup scripts from filling up the root partition if copying to improperly mounted network drives
    • / = leftover space on the disk (ext4 file system)
  • If you use whole disk encryption at this stage, you run the risk of needing to physically present to manually typing in your root password everytime the server restarts or reboots after a power outage.
  • If you encrypt the “Home” directory, you run the risk of some things stored in your “Home” directory not running until you log in as the user. So don’t store scripts or virtual machine images in your Home directory if you choose to encrypt.
  • Allow Ubuntu to “install important security updates automatically”.
  • If you have the option of runing tasksel during the installation phase, consider installing these at this point (if not, we will show you how later):
    • Virtual Machines KVM
    • OpenSSH server

Various Tutorials and Resources on installing Ubuntu Server

Canonical

LinuxTechi

FossLinux

Step 4: Perform some initial housekeeping items

Once the server is installed, you can remove the installation media and boot in to the server. Using the administrator username and password you created when you installed the server, log in to the server.

Update and upgrade the server:

$ sudo apt-get update && apt-get upgrade

Allow the server to automatically remove unused dependencies (to keep the /boot from filling up). Edit the config file with nano:

$ sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

Find the line that looks like the following and remove the “//” characters in the beginning of the line (uncomment), and change the parameter to “true”:

Unattended-Upgrade::Remove-Unused-Dependencies “true”;

Press Ctrl-O to save, Ctrl-X to exit.

Lower the wait time “Raising networking interfaces….” when booting the server, in case you have multiple network interfaces and not all are connected to a network with DHCP:

$ sudo nano /etc/dhcp/dhclient.conf
Edit the timeout to be 15 seconds:
timeout 15;
Step 5: (Optional) Install a lightweight graphical user interface

Sometime, navigating and operating a server with command line only is difficult. If you prefer a graphical user interface (and you installed the Ubuntu Server edition, and not the Desktop edition) you can install the lightweight GUI XFCE desktop.

$ sudo apt-get update

$ sudo apt-get install xfce4

Whenever you want to start the GUI, type the command:

$ startx

Now you can use the graphical desktop to load a Terminal window and continue working on your installations.

Step 6: Install OpenSSH Server

If you did not install this originally with Tasksel, then install and configure it now.

$ sudo apt-get update

$ sudo apt-get install openssh-server

$ sudo systemctl enable ssh

Edit the configuration file:

$ sudo nano /etc/ssh/sshd_config
Modify the settings with the following:
PermitRootLogin prohibit-password

MaxAuthTries 10

PasswordAuthentication yes            (choose no if you plan on using SSH key only for SSH login)

Press Ctrl-O to save, Ctrl-X to exit.

Step 7: Install Linux KVM

Install the virtual machine server, virtual machine manager, bridge networking and dependencies:

$ sudo apt-get update

$ sudo apt-get install qemu-kvm-spice libvirt-bin bridge-utils virt-manager

You can run the GUI Virtual Machine Manager from the “System Tool” menu or with the command:

$ virt-manager
Step 6: Setup Bridge Networking

Bridge networking allows you to connect your virtual machine servers to access the same network connection of the host server (the baremetal hypervisor) and also see each other on the same network.

Examine all the available network interfaces you have and their names and MAC address:

$ sudo ifconfig -a

The names of the network interfaces may be something like: eth0 or ens0 for one network NIC; eth1 or ens1 for a second network NIC

Configure bridge networking: (works for Ubuntu 16 LTS and earlier)

$ sudo apt-get install bridge-utils

$ sudo nano /etc/network/interfaces

Note: Read these instructions for bridge networking on Ubuntu 18 LTS and later.

Edit the file to look something like this with your preferred options: (for Ubuntu 16 LTS and earlier)

auto lo

iface lo inet loopback

# Primary network interface

auto eth0

iface eth0 inet manual

auto br0

iface br0 inet dhcp

bridge_ports eth0

bridge_stp off

bridge_fd 0

bridge_maxwait 0

post-up ip link set br0 address 00:50:79:f0:ab:a8

# Secondary network interface

# If you have other network interfaces, you can add them below and follow the template above but change the bold items,

# ie. eth1 and br1 instead and the corresponding MAC address as shown with “ifconfig -a” command

# Here is an example of a static IP  configuration

auto eth1

iface eth1 inet manual

auto br1

iface  br1 inet static

address 192.168.2.10

netmask 255.255.255.0

gateway 192.168.2.1

bridge_ports eth1

bridge_stp off

bridge_maxwait 0

post-up ip link set br1 address 00:50:79:f0:ab:a7

Press Ctrl-O to save, Ctrl-X to exit.

Restart the networking service with the command:

$ sudo systemctl restart networking

* You may need to restart the server if the above step doesn’t work

Now you can start creating guest Virtual Machines (VM’s) and install OSCAR!

Read Next: Install OSCAR

Other Commands:

Logging out:

$ exit

Shutting down the server:

$ sudo shutdown -P now
Restarting the server:
$ sudo shutdown -r now

Show network route (including metric):

$ sudo route -n

Read Next: Install OSCAR

Other Optional Installation:
  • terminator
  • fail2ban
  • google-chrome-stable
  • gnome-system-monitor
  • gedit
  • ifmetric

 

Choosing Server Hardware

Choosing Server Hardware

Server specifications for electronic medical record system

[This is a part of a series on self-hosting OSCAR. Start by reading the first article.]

This is a difficult topic to write about when giving you advice on what kind of server you will need to get without knowing your specific current needs and future needs. It also depends on your risk tolerance for failure and how much you want to spend. However, here are some points for discussion.

If you are thinking of running other server applications (such as Windows Server, firewall appliances, virtual desktop environments etc), consider getting a bigger server with more CPU and RAM, and then use virtualization (read Hypervisor Server) to save yourself from buying a separate hardware server for each type of server.

There are people who have installed OSCAR on a $50 Raspberry Pi computer (although we would not recommend this). There is a physician who runs his 2-doctor clinic on a re-purposed Mac Mini (running Parallels). Some physicians may try to install OSCAR on a Windows OS or on an Ubuntu Desktop computer and keep that running all the time. You can even use a good quality desktop computer (with a CPU that supports virtualization) to run a server. All this is possible, however, it may not fit your specific circumstance.

Some examples for server hardware:
Server for OSCAR EMR with 40 providers:
  • Dell PowerEdge Server
  • Dual CPU Xenon processors
  • iDRAC SSD PERC RAID controller for hard drives
  • 72 GB ECC (error-correcting) RAM
  • Dual power supply
  • Dual NIC (network interfaces)
Server for 10 providers:
  • HP Proliant Server
  • Single CPU Xenon processor
  • HPE Dynamic Smart Array B120i RAID controller for hard drives
  • 32 GB ECC RAM
  • Single power supply (but a spare one on hand in case it needs to be replaced quickly)
  • Dual NIC
Server for 2 providers:
  • Mac Mini

Some General Advice on Picking a Server

  • Choose a CPU that has Virtualization hardware features (Intel VT-X or AMD-V)
  • Use error-correcting memory (ECC RAM). Get as much RAM as you afford and need.
  • Use a RAID controller (hardware is preferable, but you can also use Linux software RAID)
  • Buy at least 2 hard drives and RAID them for protecting against data loss with hard drive failure. Consider using enterpise grade hard drive such as SAS drives (instead of regular SATA drives). Besides the traditional mechanical drives (SAS or SATA), consider using SSD if you want even faster server performance.
  • Have a backup power supply unit (either built-in redundant power supply or a spare one on hand you can install quickly)
  • Dual ethernet NIC (or you can buy a separate network card or a multi-NIC network card to install in the expansion slots)

* Keep in mind that OSCAR will run decently on a regular desktop computer (any CPU) with 2-4 GB of RAM, and 50 GB of hard drive space.

Read Next: Hypervisor Host Server

Network Firewall

Network Firewall

Setting up the network firewall

[This is a part of a series on self-hosting OSCAR. Start by reading the first article.]

The network firewall is the most important piece of your router. This acts as a gateway to protect your clinic from outside bad-actors that try to infiltrate and enter your network infrastructure and do damage. Although the firewall is not the only thing that protects you, it is an important piece of the overall security practice. The firewall essentially blocks outside requests to enter the office network, and only allows “authorized connections”. However, anything inside the network can request to access something outside the network (ie. a webpage), and then that connection can be considered an “authorized connection”. Even with the best firewall, social engineering techniques can trick you and your staff in to allowing malware to infiltrate your system. Therefore, safe security practices not only include hardware and software, but also policies & procedures that are adhered to, and adequate training of all your computer users.

Depending on what kind of firewall you use (whether built-in to the router, or a separate appliance), it can go from simple to very complicated to setup and manage. There are probably manuals written on how to set up a firewall. Ask your IT person, computer-savvy friend, or Google for how to do it properly.

Here are some settings you should consider configuring:
  • Turn on Stateful Packet Inspection (SPI)
  • Disable external SSH management of the router
  • Disable external web management of the router
  • Disable external telnet management of the router
  • Disable WPS
  • Disable UPnP
  • Block anonymous WAN requests (ping)
  • Block WAN SNMP acccess
  • Block all ports (by default) from accessing the network from the outside and only enabling the ones you want and know should be allowed to enter without being requested from inside the network. Only open the ports when you need them, for specific applications within your clinic.
  • “Open ports” and use “port forwarding” to redirect external access requests to the internal IP address of your device/server application:
    • 80: if you have a webserver that serves web pages
    • 443: if you have a SSL encrypted webserver
    • 8443 (or whatever port your want): if you plan on using this for your OSCAR server
    • 1194: OpenVPN server
    • 25, 143, 587, 993, 995: if you have a email server
  • You do NOT need to open ports if all you want to do is surf the web.

Read Next: Choosing Server Hardware

Setting up the Router

Setting up the Router

[This is a part of a series on self-hosting OSCAR. Start by reading the first article.]

The Router is the most important piece of your network infrastructure in terms of security. Choose a proper router with all the features you need before buying one. Once you have acquired a commercial-grade router, read the following guide in preparing it for your office IT system.

The physical connections

Connect the Internet modem to the WAN port of your router with a network cable. Connect any of the LAN ports of the router to one of the ports on the network switch. Connect your computers to the network switch (via the patch bay or directly).

Setup the WAN Connection

Log in to your router (and change the default administrator password immediately).

Head over to the WAN connection setup section, and configure your Internet connection (either PPPoE, static IP, or DHCP) with the parameters that your Internet provider gave you. You may need to ask your Internet provider to enable “bridge connection mode” for the Internet modem. Most of the time, this is not necessary as basic Internet services usually allow for 2 non-static IP address (in case your modem asks for one IP, and your router asks for another IP)

DHCP Server

The router will most often also be your network’s DHCP server. This allows you to plug in computers to the network and be given an IP address so it can see other computers on the network and also access the Internet.

You may want to change the IP address and subnet of your office network so it is on a different subnet that your home. This makes a difference later if you connect via VPN. For example, if you home IP is 192.168.1.1, then change the office router IP to be 192.168.2.1 (the second last number determines the subnet, the last number is the number assigned to router or computer). Be sure that your subnet mask corresponds to the way you choose the IP address of the router (you may need to use a subnet calculator). In general, if you use the pattern 192.168.x.x, then your subnet mask can be 255.255.255.0 (which gives you 254 available IP numbers to assign to computers/devices on your network). Save and restart the router.

The DHCP server is usually enabled  by default. Edit the following settings:

  • DHCP Server: Enabled
  • Start IP Address: 192.168.2.200 (start at a higher number to reserve the lower numbers for devices/computers that you want fixed IP addresses for easier management)
  • Maximum DHCP Users: 50 (or whatever maximum number of dynamically assigned IP addresses allowed, including wifi devices)
  • Static DNS: 208.67.222.123, 208.67.220.123 (for OpenDNS which filters/protects your users) or 8.8.8.8, 8.8.4.4 (for Google if reliability is a concern)
  • Forced DNS Redirection: YES (if you don’t want users to bypass your chosen DNS server)

Go through the settings for any other tweaks you may wish to do, such as setting the Time Zone.

Setting Static Leases

On the router admin panel, go to the section for assigning static-IP numbers to devices on your network. We recommend going through the pain of keeping track of all the authorized devices that are allowed on your network and assign them a static IP. Keep a document containing the device name, MAC address, and IP for all your computers and devices. This allows you to easily manage port forward, filter IP address for access control, QoS, remote management and other features. If the IP address keeps changing (when on device bumps off another), it is harder to identify where to access the computer or device is on the network. This also allows you to identify unauthorized devices that may have joined your Wifi network or plugged in to a vacant network wall jack.

Consider thinking ahead, and grouping your devices and computers in to IP ranges (for easier identification and organization). Leave number range space for future additions to that group. For example, reserve 1-20 for network infrastructure, 21-50 for servers, 51-100 for peripherals, 101-200 for computers, 200-254 for all other devices (DHCP served IP address, such as Wifi guests).

Enter in the MAC address, hostname, and give a fixed IP address (that is a lower number than your “Start IP Address” that you set previously) for all devices:

Example:

MAC  Address Hostname IP Address Client Lease Time
00:24:01:e7:61:1b Clinic-server 192.168.2.10
00:22:b0:68:97:34 Network-switch 192.168.2.12
3f:34:30:f8:bc:12 Printer 192.168.2.20

Using Wireless Access?

There are some security issues if you choose to use Wifi access in your office. Consider turning off your Wifi access on your router until you have considered the issues and decided on a type of access that works for your needs. Read the article of Wifi Access Point for more information.

Read Next: Network Firewall

Network Infrastructure

Network Infrastructure

The wiring in your office and the network hub

[This is a part of a series on self-hosting OSCAR. Start by reading the first article.]

A secure and easily managed office IT system begins with good planning and wiring of your network infrastructure.

Identify all the rooms and exact wall locations of where you might need a computer, printer, scanner, phone, wifi access point, video camera etc. and install CAT5e or CAT6 network jacks (at least 2 jacks, also called RJ45, for each location). Run the network wires from each location back to the “Hub”, a central locked location (ie. a room, or a closet) where the cables will terminate.

What is in the “Hub”?

The “Hub” is where all the network cables will feed in to a patch bay. The Hub will be a locked room or closet so it can remain secure. This area should NOT be accessible by anyone except you or trusted individuals. It should also be large enough to accomodate all your main infrastructure equipment such as:

  • patch panel where all the network cables terminate
  • network switches
  • Internet connection: ask Rogers or Bell to terminate the cable or fiber optic in the “Hub”
  • modem (for Internet connection)
  • the router
  • telephone lines (if you use a landline instead of VoIP)
  • server(s): you may want to separate the server from the other equipment if you like added security
  • monitor and keyboard
  • network attached storage devices (NAS)
  • smart thermostat controller
  • security system digital video recorder (DVR)

Why have a central “Hub”?

IT security starts with physical security. The “Hub” allows you to lock down all the essential equipment so it is hard for someone to steal it or tamper with it. This also makes it easier to manage everything when it is physically close together. You can easily make changes and switch connections from the patch bay. It makes no sense to have a highly secure EMR, when you server is out in the open at the reception desk where patients and staff walk around. If you have various third-party technicians (ie. phone guy) that needs access to parts of the “Hub”, you can add another layer of security by further segregating and locking away the server within the “Hub” area from the other hardware that needs frequent access for maintenance.

What can I do with the “Hub”?

The Patch Panel

You can use the patch bay to easily connect or switch around what you want each network jack to be connected to, without needing to rewire the whole office. Notice we did not mention installing telephone jacks (RJ11). This is because you can use the same RJ45 jack to plug in a tradition telephone RJ11 plug (it will fit), or use the newer VoIP telephones (much more versatile). What you connect the corresponding jacks on the patch panel will determine what the wall plug is used for. For IP computer networks, use a short patch cabel to connect the patch panel jacks in to a network switch. For tradition land line phones, use a custom crimped cable that connects the corresponding twisted pair wires to a telephone demarcation panel (connect with a punch down tool) or a VoIP gateway.

The Network Switch

There may be multiple gigabit switches, but you can start with one large 24-port gigabit switch. The switch will be your backbone of the network to connect all the computers, servers, and peripherals together. You can organize your network in to various groups topologies for added security. For example, you can segregate parts of your network from other parts with VLANs.

The Router

This piece of equipment is central to your network infrastructure. The router protects your network from the Internet. The Internet provider connects their wires to a modem (usually provided by the Internet provider), and the modem should connect to the WAN port of the router. Nothing else should be connected to the modem. The wireless features on the modem should be turned off (if you need wireless, enable it from within your network, ie. the router or a separate Wifi access point). Do not use a regular home router that you can buy from the local computer store or online. It may not have all the features that you may need to protect your clinic.

Use a business router with commercial-grade features such as:
  • firewall: stateful packet inspection, ability to block WAN requests, limit types of access (SSH, Telnet), filter capabilities
  • consider using a unified threat management gateway (UTM)
  • port management: port forwarding (single or range), port triggering
  • wifi access point (with WPA2 encryption, or RADIUS server)
  • MAC filtering
  • VLAN
  • dual WAN port, with keep-alive function
  • WAN access restrictions by IP, MAC, schedule
  • VPN server
  • quality of service (QoS) features
Some examples of commercial-grade routers:
  • Juniper routers (high-end)
  • Cisco RV Series Routers
  • Ubiquiti Networks UiFi Security Gateway
  • Sophos XG Series Firewall Appliances
  • OpenWrt or dd-wrt (flash a home router and upgrade to commercial-features)
  • pfSense (open source appliance that you need to know how to install on hardware or virtual machine)

Read Next: Setting Up the Router

Self-host OSCAR

Self-Host an Open Source Electronic Medical Record (EMR) System

How to set up an open source electronic medical record system such as OSCAR

Running a clinic takes more than just practicing your profession. You need an office system in place that is efficient, cost-effective, functional, and just makes your life more enjoyable to practice. If you are able to hire someone to manage this for you, great! If you value freedom, privacy, security, community support, and saving money… then keep reading and stay tuned! If you value these things and still want us to help you achieve your aims, please contact us!

In the following on-going posts, we will reveal some possible “Best Practices” when setting up a medical office IT system. There is probably room for improvement, as Best Practices always need updating, so these are really our own opinions of what we think a safe health care system should be designed in the office setting.

Start reading: Network Infrastructure

(Original post at https://oscarON.ca/self-host)