OpenMRS Security Assessment 5
(Created page with "__NOTOC__ {| border="1" |- |'''Title''' || OpenMRS Security Assessment 5 |- |'''Overview''' || Controls and Design in OpenMRS |- |'''Prerequisite Knowledge''' || Students mu...") |
|||
(One intermediate revision by one user not shown) | |||
Line 1: | Line 1: | ||
__NOTOC__ | __NOTOC__ | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | === Background | + | {{Learning Activity Overview |
+ | |title= | ||
+ | OpenMRS Security Assessment 5 | ||
+ | |overview= | ||
+ | Controls and Design in OpenMRS | ||
+ | |prerequisites= | ||
+ | Students must know commonly used mechanisms for defending against threats. | ||
+ | They also need to know security design principles and be ready to apply them to assess a real-world project. | ||
+ | |objectives= | ||
+ | # Search through a project for evidence of controls that defend against specific threats. | ||
+ | # Evaluate the effectiveness of existing controls. | ||
+ | # Make recommendations for new controls. | ||
+ | # Apply design principles to assess project security. | ||
+ | |process skills= | ||
+ | }} | ||
+ | |||
+ | === Background === | ||
+ | |||
OpenMRS is an open-source medical record management system. It is very popular in some parts of the world, but requires work to make it compatible with [http://www.hhs.gov/ocr/privacy/index.html Department of Health and Human Services regulations] authorized by the Health Insurance Portability and Accountability Act (HIPAA). This series of assignments aims to identify specific changes that are required to achieve HIPAA compliance to use OpenMRS in the context of a small medical practice or hospital. (Larger medical practices and hospitals typically have more complex situations and unique risks that require them to conduct their own assessment.) | OpenMRS is an open-source medical record management system. It is very popular in some parts of the world, but requires work to make it compatible with [http://www.hhs.gov/ocr/privacy/index.html Department of Health and Human Services regulations] authorized by the Health Insurance Portability and Accountability Act (HIPAA). This series of assignments aims to identify specific changes that are required to achieve HIPAA compliance to use OpenMRS in the context of a small medical practice or hospital. (Larger medical practices and hospitals typically have more complex situations and unique risks that require them to conduct their own assessment.) | ||
In this assignment, teams will investigate what existing controls OpenMRS has that would defend against specific threats. They will also use the security design principles to assess how design decisions made when developing OpenMRS affect security. | In this assignment, teams will investigate what existing controls OpenMRS has that would defend against specific threats. They will also use the security design principles to assess how design decisions made when developing OpenMRS affect security. | ||
− | === Directions | + | === Directions === |
This project is a large, team-based project with several parts. | This project is a large, team-based project with several parts. | ||
Line 39: | Line 42: | ||
The template describes various ways to earn points for this assignment. You should earn at least 40 points during this phase. | The template describes various ways to earn points for this assignment. You should earn at least 40 points during this phase. | ||
− | === Deliverables | + | === Deliverables === |
+ | |||
Teams create a Wiki page and add a description of their project and discussion of the challenges they faced installing the OpenMRS project. | Teams create a Wiki page and add a description of their project and discussion of the challenges they faced installing the OpenMRS project. | ||
− | === Assessment | + | === Assessment === |
The instructor will grade the report after the full assessment is completed. | The instructor will grade the report after the full assessment is completed. | ||
Line 51: | Line 55: | ||
The instructor should provide time in the classroom to discuss the assessment as it progresses. | The instructor should provide time in the classroom to discuss the assessment as it progresses. | ||
+ | === Comments === | ||
+ | === Additional Information === | ||
− | + | {{Learning Activity Info | |
− | + | |acm unit= | |
− | + | IAS/Threats and Attacks | |
− | + | |acm topic= | |
− | + | Attacker goals, capabilities, and motivations (such as underground economy, digital espionage, | |
− | + | ||
− | | | + | |
− | + | ||
cyberwarfare, insider threats, hacktivism, advanced persistent threats) | cyberwarfare, insider threats, hacktivism, advanced persistent threats) | ||
− | | | + | |difficulty= |
− | + | challenging | |
− | | | + | |time= |
− | + | 25 hours | |
− | | | + | |environment= |
− | + | ||
# The instructor needs to a template page for this specific assignment, [[OpenMRS Security Assessment Wiki Assessment Template C]]. | # The instructor needs to a template page for this specific assignment, [[OpenMRS Security Assessment Wiki Assessment Template C]]. | ||
− | + | |author= | |
− | | | + | Steven P. Crain |
− | + | |source= | |
− | | | + | N/A |
− | + | |license= | |
− | | | + | {{License CC BY NC SA}} |
− | + | }} | |
− | + | ||
=== Suggestions for Open Source Community: === | === Suggestions for Open Source Community: === | ||
− | Suggestions for an open source community member who is working in conjunction with the instructor. | + | * ''Suggestions for an open source community member who is working in conjunction with the instructor.'' |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | [[Category: | + | [[Category:Learning Activity]] |
− | [[Category: OpenMRS]] | + | [[Category:OpenMRS]] |
− | [[Category: | + | [[Category:Privacy and Security]] |
+ | [[Category:Good Draft]] |
Latest revision as of 11:17, 8 September 2018
Title |
OpenMRS Security Assessment 5 |
---|---|
Overview |
Controls and Design in OpenMRS |
Prerequisites |
Students must know commonly used mechanisms for defending against threats. They also need to know security design principles and be ready to apply them to assess a real-world project. |
Learning Objectives |
After successfully completing this activity, the learner should be able to:
|
Process Skills Practiced |
Background
OpenMRS is an open-source medical record management system. It is very popular in some parts of the world, but requires work to make it compatible with Department of Health and Human Services regulations authorized by the Health Insurance Portability and Accountability Act (HIPAA). This series of assignments aims to identify specific changes that are required to achieve HIPAA compliance to use OpenMRS in the context of a small medical practice or hospital. (Larger medical practices and hospitals typically have more complex situations and unique risks that require them to conduct their own assessment.)
In this assignment, teams will investigate what existing controls OpenMRS has that would defend against specific threats. They will also use the security design principles to assess how design decisions made when developing OpenMRS affect security.
Directions
This project is a large, team-based project with several parts.
The assignment requires you to conduct a risk assessment of OpenMRS and post your assessment on the Security Assessment Wiki.
You can get to your project Wiki pages from OpenMRS Security Assessment Wiki Template. The template for this assignment is OpenMRS Security Assessment Wiki Assessment Template C, due .... Click the "edit" option at the top of the template page, copy all of the text of the template and paste it into your team's Wiki page. Then, follow the directions in the template:
- Sort the threats you identified in the previous assignment according to the level of risk.
- Evaluate OpenMRS's preparedness for the 7-10 threats with the greatest risk. Certainly assess every threat that presents extreme risk.
- For each threat that you assess, start by searching the OpenMRS documentation for any reference to the threat. Next, brainstorm as a group the ways that you could protect against this kind of threat. During this process, it may be helpful to search the textbook and the Web for suggestions. (Keep notes so that you can reference relevant pages in OpenMRS, the textbook or the Web in your report.) Finally, search the application and source code for evidence that OpenMRS attempts to defend against this threat.
- Determine what changes OpenMRS should make to reduce the risk of the threat. These changes can reduce the likelihood of a successful attack or reduce the cost if an attack is successful.
- Document the controls that you found and your recommendations using the format in the template.
You are aiming for 40 points in this part of the assignment. Depending on how many threats you assessed and what you wrote about it, you can also assess how well OpenMRS is designed based on the security design principles. Remember to focus on your specific aspect of the security assessment. You need to explain clearly to someone who does not know much about computer security what the design principle means in this specific context. (For example, what does complete mediation mean for confidentiality in the database?) Then assess how well OpenMRS adheres to the principle, and assign a letter grade to OpenMRS.
The template describes various ways to earn points for this assignment. You should earn at least 40 points during this phase.
Deliverables
Teams create a Wiki page and add a description of their project and discussion of the challenges they faced installing the OpenMRS project.
Assessment
The instructor will grade the report after the full assessment is completed.
The instructor should look over the work of each team and provide feedback that will help the team improve their security assessment skills and the remaining portions of the assessment.
The instructor should provide time in the classroom to discuss the assessment as it progresses.
Comments
Additional Information
ACM BoK Area & Unit(s) |
IAS/Threats and Attacks |
---|---|
ACM BoK Topic(s) |
Attacker goals, capabilities, and motivations (such as underground economy, digital espionage, cyberwarfare, insider threats, hacktivism, advanced persistent threats) |
Difficulty |
challenging |
Estimated Time to Complete |
25 hours |
Environment / Materials |
|
Author(s) |
Steven P. Crain |
Source |
N/A |
License |
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License |
Suggestions for Open Source Community:
- Suggestions for an open source community member who is working in conjunction with the instructor.