OpenMRS Security Assessment 4
m |
|||
Line 34: | Line 34: | ||
=== Deliverables: === | === Deliverables: === | ||
+ | Teams create a Wiki page and add a description of their project and discussion of the challenges they faced installing the OpenMRS project. | ||
=== Assessment: === | === Assessment: === | ||
− | |||
− | |||
− | |||
− | + | The instructor will grade the report after the full assessment is completed. | |
− | + | The instructor should look over the work of each team and provide feedback that will help the team improve their security assessment skills and the remaining portions of the assessment. | |
− | + | ||
− | + | The instructor should provide time in the classroom to discuss the assessment as it progresses. | |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
=== Comments: === | === Comments: === | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
=== Additional Information: === | === Additional Information: === | ||
{| border="1" | {| border="1" | ||
|- | |- | ||
− | |'''ACM Knowledge Area/Knowledge Unit''' || | + | |'''ACM Knowledge Area/Knowledge Unit''' || IAS/Threats and Attacks |
|- | |- | ||
− | |'''ACM Topic''' || | + | |'''ACM Topic''' || Attacker goals, capabilities, and motivations (such as underground economy, digital espionage, |
+ | cyberwarfare, insider threats, hacktivism, advanced persistent threats) | ||
|- | |- | ||
− | |'''Level of Difficulty''' || | + | |'''Level of Difficulty''' || Medium |
|- | |- | ||
|'''Estimated Time to Completion''' || 20 hours | |'''Estimated Time to Completion''' || 20 hours | ||
|- | |- | ||
|'''Materials/Environment''' || | |'''Materials/Environment''' || | ||
− | # The instructor needs to a template page for this specific assignment, [[OpenMRS Security Assessment Wiki Assessment Template | + | # The instructor needs to a template page for this specific assignment, [[OpenMRS Security Assessment Wiki Assessment Template B]]. |
− | + | ||
− | + | ||
|- | |- | ||
|'''Author''' || Steven P. Crain | |'''Author''' || Steven P. Crain |
Revision as of 23:01, 30 June 2016
Title | OpenMRS Security Assessment 4 |
Overview | Asset Identification in OpenMRS |
Prerequisite Knowledge | Students must know the definition of asset in computer security and understand the breadth of resources that constitute assets. They also need to be familiar with the specific HIPAA rules that govern the kinds of identifiable and health information that must be protected (and therefor is an asset). |
Learning Objectives |
|
Background:
OpenMRS is an open-source medical record management system. It is very popular in some parts of the world, but requires work to make it compatible with Department of Health and Human Services regulations authorized by the Health Insurance Portability and Accountability Act (HIPAA). This series of assignments aims to identify specific changes that are required to achieve HIPAA compliance to use OpenMRS in the context of a small medical practice or hospital. (Larger medical practices and hospitals typically have more complex situations and unique risks that require them to conduct their own assessment.)
In this assignment, teams will identify assets and threats relevant to an assigned aspect of OpenMRS.
Directions:
This project is a large, team-based project with several parts.
The assignment requires you to conduct a risk assessment of OpenMRS and post your assessment on the Security Assessment Wiki.
You can get to your project Wiki pages from OpenMRS Security Assessment Wiki Template. The template for this assignment is OpenMRS Security Assessment Wiki Assessment Template B, due .... Click the "edit" option at the top of the template page, copy all of the text of the template and paste it into your team's Wiki page. Then, follow the directions in the template:
- Identify all of the assets that are relevant to your team's portion of the assessment. In doing this, you should search the source code and application for anything that must be protected according to the HIPAA regulations. You should also search for other relevant aspects as mentioned in the template.
- For each asset, identify the threat agents who could violate the security of the asset.
- For each asset, brainstorm the threats against the agent. Keep focus: auth teams should focus on threats that attack or circumvent authentication or authorization; accounting teams should focus on threats that attack or circumvent accountability and confidentiality teams should focus on threats that improperly access PHI.
The template describes various ways to earn points for this assignment. You should earn at least 40 points during this phase.
Deliverables:
Teams create a Wiki page and add a description of their project and discussion of the challenges they faced installing the OpenMRS project.
Assessment:
The instructor will grade the report after the full assessment is completed.
The instructor should look over the work of each team and provide feedback that will help the team improve their security assessment skills and the remaining portions of the assessment.
The instructor should provide time in the classroom to discuss the assessment as it progresses.
Comments:
Additional Information:
ACM Knowledge Area/Knowledge Unit | IAS/Threats and Attacks |
ACM Topic | Attacker goals, capabilities, and motivations (such as underground economy, digital espionage,
cyberwarfare, insider threats, hacktivism, advanced persistent threats) |
Level of Difficulty | Medium |
Estimated Time to Completion | 20 hours |
Materials/Environment |
|
Author | Steven P. Crain |
Source | N/A |
License | This activity is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. |
Suggestions for Open Source Community:
Suggestions for an open source community member who is working in conjunction with the instructor.
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License