Security

DHIS2 takes security seriously. We are continuously improving our software and processes to minimize the risk to users and their data

    Security features & best practices

    The fact that DHIS2 is commonly used to capture and analyze health information means that issues of data security and privacy are of paramount importance. The data collected within DHIS2 need to be available to those who have the need and appropriate authority to access it — such as healthcare providers or program managers within a given health system — and secured against unauthorized access by others. In addition to striving to make the software itself as secure as possible, DHIS2 offers a selection of customizable security and privacy features, including user management, encryption, and more. For best practices on configuration and implementation, please review the DHIS2 Documentation.

    You can also watch Feature Spotlight videos of security features from recent DHIS2 releases below, and visit our Software Overview page to explore features included in each version release, and the Android Overview page for information about privacy and security related to data collection on mobile devices with the DHIS2 Android App.

    Reporting a vulnerability

    DHIS2 has a dedicated security team focused on maintaining the integrity of the DHIS2 software. If you discover what you believe to be a vulnerability in DHIS2 then we want to hear from you. Please follow the instructions below to ensure that your issue is properly attended to and that other users are not unnecessarily exposed to risk.

    • DO NOT report the issue on the public mailing lists
    • DO NOT report the issue through the Jira system
    • DO report the issue by sending an email to the DHIS2 security team security@dhis2.org

    Your email should contain as much as possible of the following information:

    • DHIS2 version:
    • DHIS2 build number:
    • Description of the issue:
    • Why do you consider it a security vulnerability:
    • Steps to reproduce:
    • Do you want to be accredited: YES/NO

    What happens next?

    A member of the security team will respond acknowledging your email, typically within 24 hours. An issue will then be created on a private section of our issue tracker, where the security team and developers will assess the severity of the report. They will contact you with their severity assessment and an estimate of how and when the vulnerability will be addressed. If you have indicated that you wish to be accredited, your contribution will be acknowledged in the next release.

    Public disclosure

    The security team is committed to making a public disclosure of security issues in a responsible manner. This implies that an issue may be embargoed for some time while a fix or workaround is created. If you are involved in the administration of DHIS2 servers you are advised to join the DHIS2 system administrators group. From time to time security announcements will be made to this group prior to being made more widely available.

    Supported Versions

    When a vulnerability in DHIS2 is discovered and fixed, every effort is made to backport the fix, but it is not possible to provide continuous support for all versions. We aim to provide security support for at least the 3 most recent major released versions. Versions older than that might be vulnerable and we advise you keep your implementation up to date.

    Who is the Security Team?

    The security team is a multi-disciplinary team of the HISP project at the University of Oslo, including DHIS2 core developers. You can contact the team at: security@dhis2.org