OpenMRS Security Assessment 1
|Title||OpenMRS Security Assessment 1|
|Overview||Help students gather information from the OpenMRS community in preparation for a security assessment.|
|Prerequisite Knowledge||Students must have had a broad exposure to computer security, including Confidentiality-Integrity-Availability, Authentication-Authorization-Auditing, security design principles, database-specific security considerations and the risk assessment process.|
OpenMRS is an open-source medical record management system. It is very popular in some parts of the world, but requires work to make it compatible with Department of Health and Human Services regulations authorized by the Health Insurance Portability and Accountability Act (HIPAA). This series of assignments aims to identify specific changes that are required to achieve HIPAA compliance to use OpenMRS in the context of a small medical practice or hospital. (Larger medical practices and hospitals typically have more complex situations and unique risks that require them to conduct their own assessment.)
Before beginning this assignment, students should be familiar with the material in a computer security textbook on risk assessment. We used Stallings and Brown, Computer Security: Principles and Practice, 3rd ed., Prentice Hall, 2015, chapter 14.
This assignment deals with the first stage of a security assessment, where we identify what the scope of the assessment will be, identify important stakeholders, identify key assets and review existing documentation.
This assignment is the first in a series of risk assessment assignments for OpenMRS. You will be analyzing the documentation of this open source project in order to prepare for the following assignments. You are encouraged to complete this assignment with a partner. Teams of of 1–3 students are acceptable.
For this assignment, you will be creating a well-written (10 pts) risk assessment document. The directions below direct you to explore a number of different questions. You are expected to directly address each of these questions in your document, with references to specific pages and resources at OpenMRS. Remember to include the names of all group members in the document.
Risk Exposure (10 pts)
Using the OpenMRS website determine what kinds of organizations use the OpenMRS product. How likely are these kinds of organizations to be specifically targeted? If the product were used more extensively in the United States, how would that change the risk exposure?
Risk Appetite (10 pts)
Listen to the discussion on security in the Dec. 4, 2014 Developers' Talk. (This link works fine on Windows computers, but did not work on a Linux computer, so you may need to hunt for a machine where you can watch it. I did not find that the screencast version added much over the audio-only version.) Pay special attention to the questions and answers portion that starts at about 35 minutes into the recording. What is the typical attitude that users of OpenMRS have towards security risk?
Risk Assessment Boundary (20 pts)
We will be limiting our risk assessment to the OpenMRS database (database layer), API (service layer) and reference application (Webapp). Read the introductory documentation and describe this risk assessment boundary in more detail in your document. You should use at least 4 paragraphs for this section of your document, an initial paragraph that describes the boundary at a relatively high level and then a paragraph for each of the main components in the boundary (database, API and reference app). Optionally, you may include an extra module in your boundary for extra credit.
Assets (20 pts)
Based on the Developers' Talk and searches in the OpenMRS documentation, identify the important assets of an OpenMRS installation. Remember to include anything that is critical for the operations of an organization using OpenMRS and also anything that would be useful to an attacker. The Implementer Guide is fairly dense, but contains significant information about assets.
Remember to include hardware assets, data assets, functionality assets, communication assets and human assets, unless any of these categories is insignificant for OpenMRS users.
For each asset, identify how detrimental it would be to the organization if it were compromised or made unusable.
Existing Controls (20 pts)
Search the OpenMRS documentation for information about the existing security controls and plans for enhancement. In your document, state how you searched for this information and summarize what you found out.
Make a list of questions that you would like answered, based on the Developer's Talk you listened to and the other documentation you have read. The questions can be related to who uses the product, reported threats, architecture, existing controls, or anything else you might need to complete the security risk assessment in later assignments. You should have at least 3 questions.
Executive Summary (10 pts)
Add an executive summary at the start of the document. It should provide the main findings of your risk assessment so far in non-technical language. Executive summaries are a critical part of any business document, because the top executives of a company want to get the important facts quickly without reading a long report.
You may work in groups of 1 to 3 students, but 2 students is recommended. I recommend that you divide the work. For this assignment, you may talk to other students for help accessing the resources needed to complete the assignment, but you should not discuss the details of your assessment.
3–5 page paper establishing the context, assets and existing security controls for OpenMRS based on a review of the documentation.
Grading on this assignment will depend on the role the assignment plays in the course. My course provides a broad introduction to computer security, so that the students are not expected to produce a polished, professional security assessment. A course focusing on security assessment could use this assignment as the main course deliverable, with much higher expectations.
|Criteria||Level 1 (fail)||Level 2 (pass)||Level 3 (good)||Level 4 (exceptional)|
|The purpose of the project|
|Why the project is open source|
What should the instructor know before using this activity?
What are some likely difficulties that an instructor may encounter using this activity?
|ACM Knowledge Area/Knowledge Unit||What ACM Computing Curricula 2013 knowledge area and units does this activity cover? ACM_Body_of_Knowledge|
|ACM Topic||What specific topics are addressed? The Computing Curriucula 2013 provides a list of topics - https://www.acm.org/education/CS2013-final-report.pdf|
|Level of Difficulty||Is this activity easy, medium or challenging?|
|Estimated Time to Completion||10 Hours|
|Author||Steven P. Crain|
|License||This activity is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.|
Suggestions for Open Source Community:
Suggestions for an open source community member who is working in conjunction with the instructor.
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License