OpenMRS Security Assessment 1
(Added background) |
m (Corrected the time estimate) |
||
Line 9: | Line 9: | ||
|'''Prerequisite Knowledge''' || Students must have had a broad exposure to computer security, including Confidentiality-Integrity-Availability, Authentication-Authorization-Auditing, security design principles, database-specific security considerations and the risk assessment process. | |'''Prerequisite Knowledge''' || Students must have had a broad exposure to computer security, including Confidentiality-Integrity-Availability, Authentication-Authorization-Auditing, security design principles, database-specific security considerations and the risk assessment process. | ||
|- | |- | ||
− | |'''Estimated Time to Completion''' || | + | |'''Estimated Time to Completion''' ||10 hours |
|- | |- | ||
|'''Learning Objectives''' || | |'''Learning Objectives''' || | ||
Line 25: | Line 25: | ||
|'''Turn In''' || 3–5 page paper establishing the context, assets and existing security controls for OpenMRS based on a review of the documentation. | |'''Turn In''' || 3–5 page paper establishing the context, assets and existing security controls for OpenMRS based on a review of the documentation. | ||
|} | |} | ||
− | |||
=== Background: === | === Background: === |
Revision as of 18:45, 17 August 2015
Contents |
Preparation:
Description | Help students gather information from the OpenMRS community in preparation for a security assessment. |
Source | Steven P. Crain |
Prerequisite Knowledge | Students must have had a broad exposure to computer security, including Confidentiality-Integrity-Availability, Authentication-Authorization-Auditing, security design principles, database-specific security considerations and the risk assessment process. |
Estimated Time to Completion | 10 hours |
Learning Objectives |
|
Materials/Environment | |
Rights | This activity is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. |
Turn In | 3–5 page paper establishing the context, assets and existing security controls for OpenMRS based on a review of the documentation. |
Background:
OpenMRS is an open-source medical record management system. It is very popular in some parts of the world, but requires work to make it compatible with Department of Health and Human Services regulations authorized by the Health Insurance Portability and Accountability Act (HIPAA). This series of assignments aims to identify specific changes that are required to achieve HIPAA compliance to use OpenMRS in the context of a small medical practice or hospital. (Larger medical practices and hospitals typically have more complex situations and unique risks that require them to conduct their own assessment.)
Before beginning this assignment, students should be familiar with the material in a computer security textbook on risk assessment. We used Stallings and Brown, Computer Security: Principles and Practice, 3rd ed., Prentice Hall, 2015, chapter 14.
This assignment deals with the first stage of a security assessment, where we identify what the scope of the assessment will be, identify important stakeholders, identify key assets and review existing documentation.
Directions:
This assignment is the first in a series of risk assessment assignments for OpenMRS. You will be analyzing the documentation of this open source project in order to prepare for the following assignments. You are encouraged to complete this assignment with a partner. Teams of of 1–3 students are acceptable.
For this assignment, you will be creating a well-written (10 pts) risk assessment document. The directions below direct you to explore a number of different questions. You are expected to directly address each of these questions in your document, with references to specific pages and resources at OpenMRS. Remember to include the names of all group members in the document.
Risk Exposure (10 pts)
Using the OpenMRS website determine what kinds of organizations use the OpenMRS product. How likely are these kinds of organizations to be specifically targeted? If the product were used more extensively in the United States, how would that change the risk exposure?
Risk Appetite (10 pts)
Listen to the discussion on security in the Dec. 4, 2014 Developers' Talk. (This link works fine on Windows computers, but did not work on a Linux computer, so you may need to hunt for a machine where you can watch it. I did not find that the screencast version added much over the audio-only version.) Pay special attention to the questions and answers portion that starts at about 35 minutes into the recording. What is the typical attitude that users of OpenMRS have towards security risk?
Risk Assessment Boundary (20 pts)
We will be limiting our risk assessment to the OpenMRS database (database layer), API (service layer) and reference Webapp. Read the introductory documentation and describe this risk assessment boundary in more detail in your document. You should use at least 4 paragraphs for this section of your document, an initial paragraph that describes the boundary at a relatively high level and then a paragraph for each of the main components in the boundary (database, API and Webapp). Optionally, you may include an extra module in your boundary for extra credit.
Assets (20 pts)
Based on the Developers' Talk and searches in the OpenMRS documentation, identify the important assets of an OpenMRS installation. Remember to include anything that is critical for the operations of an organization using OpenMRS and also anything that would be useful to an attacker. The Implementer Guide is fairly dense, but contains significant information about assets.
Remember to include hardware assets, data assets, functionality assets, communication assets and human assets, unless any of these categories is insignificant for OpenMRS users.
For each asset, identify how detrimental it would be to the organization if it were compromised or made unusable.
Existing Controls (20 pts)
Search the OpenMRS documentation for information about the existing security controls and plans for enhancement. In your document, state how you searched for this information and summarize what you found out.
Make a list of questions that you would like answered, based on the Developer's Talk you listened to and the other documentation you have read. The questions can be related to who uses the product, reported threats, architecture, existing controls, or anything else you might need to complete the security risk assessment in later assignments. You should have at least 3 questions.
Executive Summary (10 pts)
Add an executive summary at the start of the document. It should provide the main findings of your risk assessment so far in non-technical language. Executive summaries are a critical part of any business document, because the top executives of a company want to get the important facts quickly without reading a long report.
Collaboration
You may work in groups of 1 to 3 students, but 2 students is recommended. I recommend that you divide the work. For this assignment, you may talk to other students for help accessing the resources needed to complete the assignment, but you should not discuss the details of your assessment.
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License