OpenMRS Security Assessment 4
| (One intermediate revision by one user not shown) | |||
| Line 1: | Line 1: | ||
__NOTOC__ | __NOTOC__ | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | === Background | + | {{Learning Activity Overview |
| + | |title= | ||
| + | OpenMRS Security Assessment 4 | ||
| + | |overview= | ||
| + | Asset Identification in OpenMRS | ||
| + | |prerequisites= | ||
| + | Students must know the definition of asset in computer security and understand the breadth of resources that constitute assets. They also need to be familiar with the specific HIPAA rules that govern the kinds of identifiable and health information that must be protected (and therefor is an asset). | ||
| + | |objectives= | ||
| + | # Search through a project for use of identifiers. | ||
| + | # Practice thinking broadly about assets, not just information assets. | ||
| + | # Practice identifying and classifying threats. | ||
| + | |process skills= | ||
| + | }} | ||
| + | |||
| + | === Background === | ||
| + | |||
OpenMRS is an open-source medical record management system. It is very popular in some parts of the world, but requires work to make it compatible with [http://www.hhs.gov/ocr/privacy/index.html Department of Health and Human Services regulations] authorized by the Health Insurance Portability and Accountability Act (HIPAA). This series of assignments aims to identify specific changes that are required to achieve HIPAA compliance to use OpenMRS in the context of a small medical practice or hospital. (Larger medical practices and hospitals typically have more complex situations and unique risks that require them to conduct their own assessment.) | OpenMRS is an open-source medical record management system. It is very popular in some parts of the world, but requires work to make it compatible with [http://www.hhs.gov/ocr/privacy/index.html Department of Health and Human Services regulations] authorized by the Health Insurance Portability and Accountability Act (HIPAA). This series of assignments aims to identify specific changes that are required to achieve HIPAA compliance to use OpenMRS in the context of a small medical practice or hospital. (Larger medical practices and hospitals typically have more complex situations and unique risks that require them to conduct their own assessment.) | ||
In this assignment, teams will identify assets and threats relevant to an assigned aspect of OpenMRS. | In this assignment, teams will identify assets and threats relevant to an assigned aspect of OpenMRS. | ||
| − | === Directions | + | === Directions === |
This project is a large, team-based project with several parts. | This project is a large, team-based project with several parts. | ||
| Line 33: | Line 35: | ||
The template describes various ways to earn points for this assignment. You should earn at least 40 points during this phase. | The template describes various ways to earn points for this assignment. You should earn at least 40 points during this phase. | ||
| − | === Deliverables | + | === Deliverables === |
| + | |||
Teams create a Wiki page and add a description of their project and discussion of the challenges they faced installing the OpenMRS project. | Teams create a Wiki page and add a description of their project and discussion of the challenges they faced installing the OpenMRS project. | ||
| − | === Assessment | + | === Assessment === |
The instructor will grade the report after the full assessment is completed. | The instructor will grade the report after the full assessment is completed. | ||
| Line 47: | Line 50: | ||
| − | === Comments | + | === Comments === |
=== Additional Information: === | === Additional Information: === | ||
| − | {| | + | |
| − | + | {{Learning Activity Info | |
| − | + | |acm unit= | |
| − | | | + | IAS/Threats and Attacks |
| − | + | |acm topic= | |
| + | Attacker goals, capabilities, and motivations (such as underground economy, digital espionage, | ||
cyberwarfare, insider threats, hacktivism, advanced persistent threats) | cyberwarfare, insider threats, hacktivism, advanced persistent threats) | ||
| − | | | + | |difficulty= |
| − | + | medium | |
| − | | | + | |time= |
| − | + | 20 hours | |
| − | | | + | |environment= |
| − | + | ||
# The instructor needs to a template page for this specific assignment, [[OpenMRS Security Assessment Wiki Assessment Template B]]. | # The instructor needs to a template page for this specific assignment, [[OpenMRS Security Assessment Wiki Assessment Template B]]. | ||
| − | + | |author= | |
| − | | | + | Steven P. Crain |
| − | + | |source= | |
| − | | | + | N/A |
| − | + | |license= | |
| − | | | + | {{License CC BY NC SA}} |
| − | + | }} | |
| − | + | ||
=== Suggestions for Open Source Community: === | === Suggestions for Open Source Community: === | ||
Suggestions for an open source community member who is working in conjunction with the instructor. | Suggestions for an open source community member who is working in conjunction with the instructor. | ||
| − | + | [[Category:Learning Activity]] | |
| − | + | [[Category:Privacy and Security]] | |
| − | [ | + | [[Category:OpenMRS]] |
| − | + | [[Category:Good Draft]] | |
| − | [ | + | |
| − | + | ||
| − | [[Category: | + | |
| − | [[Category: OpenMRS]] | + | |
| − | [[Category: | + | |
Latest revision as of 11:12, 8 September 2018
| Title |
OpenMRS Security Assessment 4 |
|---|---|
| Overview |
Asset Identification in OpenMRS |
| Prerequisites |
Students must know the definition of asset in computer security and understand the breadth of resources that constitute assets. They also need to be familiar with the specific HIPAA rules that govern the kinds of identifiable and health information that must be protected (and therefor is an asset). |
| Learning Objectives |
After successfully completing this activity, the learner should be able to:
|
| Process Skills Practiced |
Background
OpenMRS is an open-source medical record management system. It is very popular in some parts of the world, but requires work to make it compatible with Department of Health and Human Services regulations authorized by the Health Insurance Portability and Accountability Act (HIPAA). This series of assignments aims to identify specific changes that are required to achieve HIPAA compliance to use OpenMRS in the context of a small medical practice or hospital. (Larger medical practices and hospitals typically have more complex situations and unique risks that require them to conduct their own assessment.)
In this assignment, teams will identify assets and threats relevant to an assigned aspect of OpenMRS.
Directions
This project is a large, team-based project with several parts.
The assignment requires you to conduct a risk assessment of OpenMRS and post your assessment on the Security Assessment Wiki.
You can get to your project Wiki pages from OpenMRS Security Assessment Wiki Template. The template for this assignment is OpenMRS Security Assessment Wiki Assessment Template B, due .... Click the "edit" option at the top of the template page, copy all of the text of the template and paste it into your team's Wiki page. Then, follow the directions in the template:
- Identify all of the assets that are relevant to your team's portion of the assessment. In doing this, you should search the source code and application for anything that must be protected according to the HIPAA regulations. You should also search for other relevant aspects as mentioned in the template.
- For each asset, identify the threat agents who could violate the security of the asset.
- For each asset, brainstorm the threats against the agent. Keep focus: auth teams should focus on threats that attack or circumvent authentication or authorization; accounting teams should focus on threats that attack or circumvent accountability and confidentiality teams should focus on threats that improperly access PHI.
The template describes various ways to earn points for this assignment. You should earn at least 40 points during this phase.
Deliverables
Teams create a Wiki page and add a description of their project and discussion of the challenges they faced installing the OpenMRS project.
Assessment
The instructor will grade the report after the full assessment is completed.
The instructor should look over the work of each team and provide feedback that will help the team improve their security assessment skills and the remaining portions of the assessment.
The instructor should provide time in the classroom to discuss the assessment as it progresses.
Comments
Additional Information:
| ACM BoK Area & Unit(s) |
IAS/Threats and Attacks |
|---|---|
| ACM BoK Topic(s) |
Attacker goals, capabilities, and motivations (such as underground economy, digital espionage, cyberwarfare, insider threats, hacktivism, advanced persistent threats) |
| Difficulty |
medium |
| Estimated Time to Complete |
20 hours |
| Environment / Materials |
|
| Author(s) |
Steven P. Crain |
| Source |
N/A |
| License |
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License
|
Suggestions for Open Source Community:
Suggestions for an open source community member who is working in conjunction with the instructor.
