OpenMRS Security Assessment
OpenMRS Security Assessment
OpenMRS is an open-source medical record management system. It is very popular in some parts of the world, but requires work to make it compatible with Department of Health and Human Services regulations authorized by the Health Insurance Portability and Accountability Act (HIPAA). This series of assignments aims to identify specific changes that are required to achieve HIPAA compliance to use OpenMRS in the context of a small medical practice or hospital. (Larger medical practices and hospitals typically have more complex situations and unique risks that require them to conduct their own assessment.)
This is a series of assignments that walk a computer security class through the process of conducting a security assessment of OpenMRS.
You will need to have a server that the class can use to test OpenMRS. Most OpenMRS installations are on Linix, so selecting Linux will make your assessment more directly relevant to typical installations. However, selecting Windows or Mac could be valuable in revealing vulnerabilities specific to those lesser-tested operating systems. Install Tomcat and MySQL on the system. Provide logins for all of the students, and set permissions so that the students can deploy applications to Tomcat. (On my system, this was done by putting all of the students into a group, and giving the group read-write-execute permission on Tomcat's webapps directory.)
About 3 weeks before beginning this assignment, select 2 students who will be responsible for setting up the OpenMRS system on the server. They should have some system administration experience and demonstrated problem-solving ability. One should have experience with Java development.
Assign these students to work together to install OpenMRS and the reference or legacy user interface on the server. They should keep careful records of what they do, especially noting any security issues they encounter. They often prefer to set up a Linux virtual machine on their own laptop, get OpenMRS working there, and then install it on the real server once they know what works.
These students should be excused from other assignments that the rest of the class is doing. Once the security assessment starts, they need to serve as a resource for the rest of the class. They should acknowledge problems that other students have within 12 hours, and either solve the problem or get help within 24 hrs (using OpenMRS resources if the issue is with OpenMRS or instructor resources if the issue is with server configuration). They will be graded based on their ability to get OpenMRS installed and working, the documentation they produce and their responsiveness in helping other students.
Groups need to be selected or assigned during stage 2 of the assignment (interview). Generally, I write the options on the board and let students self-select, with some shepherding to make sure we get good coverage of the assessment areas. More details are provided in OpenMRS Security Assessment 3.
- OpenMRS Security Assessment 1 Gather documentation
- OpenMRS Security Assessment 2 Interview
- OpenMRS Security Assessment 3 Installation
- OpenMRS Security Assessment 3B Exploration, or Being productively lost
- OpenMRS Security Assessment 4 Identify assets and threats
- OpenMRS Security Assessment 5 Assess risks and design principles
- OpenMRS Security Assessment 6 Make recommendations and write final report
This work by Steven P. Crain (...@plattsburgh.edu) is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License