OpenMRS Security Assessment
(6 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
− | =OpenMRS Security Assessment= | + | __NOTOC__ |
+ | |||
+ | {{Learning Activity Overview | ||
+ | |title= | ||
+ | OpenMRS Security Assessment | ||
+ | |overview= | ||
+ | This is a series of assignments that walk a computer security class through the process of conducting a security assessment of OpenMRS. | ||
+ | |prerequisites= | ||
+ | ''What topics and tools does the student need to know prior to beginning this module? '' | ||
+ | |objectives= | ||
+ | ''What should the student be able to do after completing this module?'' | ||
+ | |process skills= | ||
+ | ''What process skills will the student practice while completing this module?'' | ||
+ | }} | ||
+ | |||
+ | = OpenMRS Security Assessment = | ||
OpenMRS is an open-source medical record management system. It is very popular in some parts of the world, but requires work to make it compatible with [http://www.hhs.gov/ocr/privacy/index.html Department of Health and Human Services regulations] authorized by the Health Insurance Portability and Accountability Act (HIPAA). This series of assignments aims to identify specific changes that are required to achieve HIPAA compliance to use OpenMRS in the context of a small medical practice or hospital. (Larger medical practices and hospitals typically have more complex situations and unique risks that require them to conduct their own assessment.) | OpenMRS is an open-source medical record management system. It is very popular in some parts of the world, but requires work to make it compatible with [http://www.hhs.gov/ocr/privacy/index.html Department of Health and Human Services regulations] authorized by the Health Insurance Portability and Accountability Act (HIPAA). This series of assignments aims to identify specific changes that are required to achieve HIPAA compliance to use OpenMRS in the context of a small medical practice or hospital. (Larger medical practices and hospitals typically have more complex situations and unique risks that require them to conduct their own assessment.) | ||
Line 5: | Line 20: | ||
This is a series of assignments that walk a computer security class through the process of conducting a security assessment of OpenMRS. | This is a series of assignments that walk a computer security class through the process of conducting a security assessment of OpenMRS. | ||
− | ==Preparation== | + | == Preparation == |
You will need to have a server that the class can use to test OpenMRS. Most OpenMRS installations are on Linix, so selecting Linux will make your assessment more directly relevant to typical installations. However, selecting Windows or Mac could be valuable in revealing vulnerabilities specific to those lesser-tested operating systems. Install Tomcat and MySQL on the system. Provide logins for all of the students, and set permissions so that the students can deploy applications to Tomcat. (On my system, this was done by putting all of the students into a group, and giving the group read-write-execute permission on Tomcat's webapps directory.) | You will need to have a server that the class can use to test OpenMRS. Most OpenMRS installations are on Linix, so selecting Linux will make your assessment more directly relevant to typical installations. However, selecting Windows or Mac could be valuable in revealing vulnerabilities specific to those lesser-tested operating systems. Install Tomcat and MySQL on the system. Provide logins for all of the students, and set permissions so that the students can deploy applications to Tomcat. (On my system, this was done by putting all of the students into a group, and giving the group read-write-execute permission on Tomcat's webapps directory.) | ||
Line 14: | Line 29: | ||
These students should be excused from other assignments that the rest of the class is doing. Once the security assessment starts, they need to serve as a resource for the rest of the class. They should acknowledge problems that other students have within 12 hours, and either solve the problem or get help within 24 hrs (using OpenMRS resources if the issue is with OpenMRS or instructor resources if the issue is with server configuration). They will be graded based on their ability to get OpenMRS installed and working, the documentation they produce and their responsiveness in helping other students. | These students should be excused from other assignments that the rest of the class is doing. Once the security assessment starts, they need to serve as a resource for the rest of the class. They should acknowledge problems that other students have within 12 hours, and either solve the problem or get help within 24 hrs (using OpenMRS resources if the issue is with OpenMRS or instructor resources if the issue is with server configuration). They will be graded based on their ability to get OpenMRS installed and working, the documentation they produce and their responsiveness in helping other students. | ||
− | ==Assignments== | + | == Group Selection == |
+ | Groups need to be selected or assigned during stage 2 of the assignment (interview). Generally, I write the options on the board and let students self-select, with some shepherding to make sure we get good coverage of the assessment areas. More details are provided in [[OpenMRS Security Assessment 3]]. | ||
+ | |||
+ | == Assignments == | ||
* [[OpenMRS Security Assessment 1]] Gather documentation | * [[OpenMRS Security Assessment 1]] Gather documentation | ||
* [[OpenMRS Security Assessment 2]] Interview | * [[OpenMRS Security Assessment 2]] Interview | ||
− | * [[OpenMRS Security Assessment 3]] | + | * [[OpenMRS Security Assessment 3]] Installation |
+ | * [[OpenMRS Security Assessment 3B]] Exploration, or Being productively lost | ||
* [[OpenMRS Security Assessment 4]] Identify assets and threats | * [[OpenMRS Security Assessment 4]] Identify assets and threats | ||
* [[OpenMRS Security Assessment 5]] Assess risks and design principles | * [[OpenMRS Security Assessment 5]] Assess risks and design principles | ||
Line 23: | Line 42: | ||
− | + | === Additional Information === | |
− | + | ||
− | + | ||
− | [[ | + | {{Learning Activity Info |
+ | |acm unit= | ||
+ | ''What ACM Computing Curricula 2013 knowledge area and units are covered?'' | ||
+ | |acm topic= | ||
+ | ''What specific topics are addressed?'' | ||
+ | |difficulty= | ||
+ | ''Is this module easy, medium, or hard?'' | ||
+ | |time= | ||
+ | ''How long should a typical student take to complete the module?'' | ||
+ | |environment= | ||
+ | ''What does the student need? (e.g. Internet access, IRC client, Git Hub account, LINUX machine, etc.)'' | ||
+ | |author= | ||
+ | [[User:Scrain|Steven P. Crain]] ([http://www.google.com/recaptcha/mailhide/d?k=01kQLVRud4_G4fLVvieRmptw==&c=xzrJ5nOx65OjeB8B5xOwSUCBUqxRQDpU96mG9Bes_GQ= ...@plattsburgh.edu]) | ||
+ | |source= | ||
+ | ''Is there another module on which this module is based? If so, please provide a link to the original resource.'' | ||
+ | |license= | ||
+ | {{License CC BY NC SA}} | ||
+ | }} | ||
− | [[Category: | + | [[Category:Learning Module]] |
− | [[Category: OpenMRS]] | + | [[Category:Learning Activity]] |
− | [[Category: | + | [[Category:Privacy and Security]] |
+ | [[Category:OpenMRS]] | ||
+ | [[Category:Good Draft]] |
Latest revision as of 11:22, 8 September 2018
Title |
OpenMRS Security Assessment |
---|---|
Overview |
This is a series of assignments that walk a computer security class through the process of conducting a security assessment of OpenMRS. |
Prerequisites |
What topics and tools does the student need to know prior to beginning this module? |
Learning Objectives |
After successfully completing this activity, the learner should be able to:
What should the student be able to do after completing this module? |
Process Skills Practiced |
What process skills will the student practice while completing this module? |
OpenMRS Security Assessment
OpenMRS is an open-source medical record management system. It is very popular in some parts of the world, but requires work to make it compatible with Department of Health and Human Services regulations authorized by the Health Insurance Portability and Accountability Act (HIPAA). This series of assignments aims to identify specific changes that are required to achieve HIPAA compliance to use OpenMRS in the context of a small medical practice or hospital. (Larger medical practices and hospitals typically have more complex situations and unique risks that require them to conduct their own assessment.)
This is a series of assignments that walk a computer security class through the process of conducting a security assessment of OpenMRS.
Preparation
You will need to have a server that the class can use to test OpenMRS. Most OpenMRS installations are on Linix, so selecting Linux will make your assessment more directly relevant to typical installations. However, selecting Windows or Mac could be valuable in revealing vulnerabilities specific to those lesser-tested operating systems. Install Tomcat and MySQL on the system. Provide logins for all of the students, and set permissions so that the students can deploy applications to Tomcat. (On my system, this was done by putting all of the students into a group, and giving the group read-write-execute permission on Tomcat's webapps directory.)
About 3 weeks before beginning this assignment, select 2 students who will be responsible for setting up the OpenMRS system on the server. They should have some system administration experience and demonstrated problem-solving ability. One should have experience with Java development.
Assign these students to work together to install OpenMRS and the reference or legacy user interface on the server. They should keep careful records of what they do, especially noting any security issues they encounter. They often prefer to set up a Linux virtual machine on their own laptop, get OpenMRS working there, and then install it on the real server once they know what works.
These students should be excused from other assignments that the rest of the class is doing. Once the security assessment starts, they need to serve as a resource for the rest of the class. They should acknowledge problems that other students have within 12 hours, and either solve the problem or get help within 24 hrs (using OpenMRS resources if the issue is with OpenMRS or instructor resources if the issue is with server configuration). They will be graded based on their ability to get OpenMRS installed and working, the documentation they produce and their responsiveness in helping other students.
Group Selection
Groups need to be selected or assigned during stage 2 of the assignment (interview). Generally, I write the options on the board and let students self-select, with some shepherding to make sure we get good coverage of the assessment areas. More details are provided in OpenMRS Security Assessment 3.
Assignments
- OpenMRS Security Assessment 1 Gather documentation
- OpenMRS Security Assessment 2 Interview
- OpenMRS Security Assessment 3 Installation
- OpenMRS Security Assessment 3B Exploration, or Being productively lost
- OpenMRS Security Assessment 4 Identify assets and threats
- OpenMRS Security Assessment 5 Assess risks and design principles
- OpenMRS Security Assessment 6 Make recommendations and write final report
Additional Information
ACM BoK Area & Unit(s) |
What ACM Computing Curricula 2013 knowledge area and units are covered? |
---|---|
ACM BoK Topic(s) |
What specific topics are addressed? |
Difficulty |
Is this module easy, medium, or hard? |
Estimated Time to Complete |
How long should a typical student take to complete the module? |
Environment / Materials |
What does the student need? (e.g. Internet access, IRC client, Git Hub account, LINUX machine, etc.) |
Author(s) | |
Source |
Is there another module on which this module is based? If so, please provide a link to the original resource. |
License |
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License |