OpenMRS Security Assessment 1
|Title||OpenMRS Security Assessment 1|
|Overview||Help students gather information from the OpenMRS community in preparation for a security assessment.|
|Prerequisite Knowledge||Students must have had a broad exposure to computer security, including Confidentiality-Integrity-Availability, Authentication-Authorization-Auditing, security design principles, database-specific security considerations and the risk assessment process.|
OpenMRS is an open-source medical record management system. It is very popular in some parts of the world, but requires work to make it compatible with Department of Health and Human Services regulations authorized by the Health Insurance Portability and Accountability Act (HIPAA). This series of assignments aims to identify specific changes that are required to achieve HIPAA compliance to use OpenMRS in the context of a small medical practice or hospital. (Larger medical practices and hospitals typically have more complex situations and unique risks that require them to conduct their own assessment.)
Before beginning this assignment, students should be familiar with the material in a computer security textbook on risk assessment. We used Stallings and Brown, Computer Security: Principles and Practice, 3rd ed., Prentice Hall, 2015, chapter 14.
This assignment deals with the first stage of a security assessment, where we identify what the scope of the assessment will be, identify important stakeholders, identify key assets and review existing documentation.
This assignment is the first in a series of risk assessment assignments for OpenMRS. You will be analyzing the documentation of this open source project in order to prepare for the following assignments. You are encouraged to complete this assignment with a partner. Teams of of 1–3 students are acceptable.
For this assignment, you will be creating a well-written (10 pts) risk assessment document. The directions below direct you to explore a number of different questions. You are expected to directly address each of these questions in your document, with references to specific pages and resources at OpenMRS. Remember to include the names of all group members in the document.
Risk Exposure (10 pts)
Using the OpenMRS website determine what kinds of organizations use the OpenMRS product. How likely are these kinds of organizations to be specifically targeted? If the product were used more extensively in the United States, how would that change the risk exposure?
Risk Appetite (10 pts)
Listen to the discussion on security in the Dec. 4, 2014 Developers' Talk. (This link works fine on Windows computers, but did not work on a Linux computer, so you may need to hunt for a machine where you can watch it. I did not find that the screencast version added much over the audio-only version.) Pay special attention to the questions and answers portion that starts at about 35 minutes into the recording. What is the typical attitude that users of OpenMRS have towards security risk?
Risk Assessment Boundary (20 pts)
We will be limiting our risk assessment to the OpenMRS database (database layer), API (service layer) and reference application (Webapp). Read the introductory documentation and describe this risk assessment boundary in more detail in your document. You should use at least 4 paragraphs for this section of your document, an initial paragraph that describes the boundary at a relatively high level and then a paragraph for each of the main components in the boundary (database, API and reference app). Optionally, you may include an extra module in your boundary for extra credit.
Assets (20 pts)
Based on the Developers' Talk and searches in the OpenMRS documentation, identify the important assets of an OpenMRS installation. Remember to include anything that is critical for the operations of an organization using OpenMRS and also anything that would be useful to an attacker. The Implementer Guide is fairly dense, but contains significant information about assets.
Remember to include hardware assets, data assets, functionality assets, communication assets and human assets, unless any of these categories is insignificant for OpenMRS users.
For each asset, identify how detrimental it would be to the organization if it were compromised or made unusable.
Existing Controls (20 pts)
Search the OpenMRS documentation for information about the existing security controls and plans for enhancement. In your document, state how you searched for this information and summarize what you found out.
Make a list of questions that you would like answered, based on the Developer's Talk you listened to and the other documentation you have read. The questions can be related to who uses the product, reported threats, architecture, existing controls, or anything else you might need to complete the security risk assessment in later assignments. You should have at least 3 questions.
Executive Summary (10 pts)
Add an executive summary at the start of the document. It should provide the main findings of your risk assessment so far in non-technical language. Executive summaries are a critical part of any business document, because the top executives of a company want to get the important facts quickly without reading a long report.
You may work in groups of 1 to 3 students, but 2 students is recommended. I recommend that you divide the work. For this assignment, you may talk to other students for help accessing the resources needed to complete the assignment, but you should not discuss the details of your assessment.
3–5 page paper establishing the context, assets and existing security controls for OpenMRS based on a review of the documentation.
Grading on this assignment will depend on the role the assignment plays in the course. My course provides a broad introduction to computer security, so that the students are not expected to produce a polished, professional security assessment. Level 2 gets about 75% of the points; Level 3 gets about 95% of the points. A course focusing on security assessment could use this assignment as the main course deliverable, with much higher expectations, perhaps giving 70% for level 2, 85% for level 3 and 100% for level 4.
|Criteria||Level 1 (fail)||Level 2 (pass)||Level 3 (good)||Level 4 (exceptional)|
|Risk exposure (20%)||Little evidence of investigation or reflection on the risk exposure.||Poor paragraph structure, grammar and spelling. Most points raised are addressed, but without much depth, and not addressing OpenMRS issues specifically.||Well-written paragraph. All points from the assignment are addressed (types of organization, risk exposure, how would change in US) with documentation of sources and evidence of reflection.||Multiple well-written paragraphs with extensive development of risk exposure for OpenMRS specifically.|
|Risk appetite (10%)||Little evidence of investigation or reflection on risk appetite.||Poor paragraph structure, grammar and spelling. Most points raised are addressed, but without much depth, and not addressing OpenMRS issues specifically.||Well-written paragraph. All points from the assignment are addressed (risk appetite of typical OpenMRS user) with documentation of sources and evidence of reflection.||Multiple well-written paragraphs showing nuanced understanding of different types of OpenMRS users.|
|Risk assessment boundary (20%)||Little evidence of investigation or reflection on the risk assessment boundary.||Poor paragraph structure, grammar and spelling. Most points raised are addressed, but without much depth, and not addressing OpenMRS issues specifically.||Well-written paragraphs. All points from the assignment are addressed (overview, database, api, reference app) with documentation of sources and evidence of reflection.||Well-written and incorporating an additional OpenMRS module in the assessment boundary.|
|Assets (20%)||5 or fewer assets identified and little reflection on the meaning or value of the assets.||Poor structure. At least 3 categories of asset (hardware, software, data, communications, humans) are covered, but it may look like they were 'checking off the boxes' instead of trying to generate a good list of assets. Assets are not discussed in much detail.||Well-structured in paragraph or list format. At least 10 assets are included from at least four categories. Each asset is described with clear detail, and its value is discussed for both the OpenMRS users and for external threat agents.||Uneven distribution of assets across categories demonstrates an attempt to exhaustively identify assets. Assets are organized in a coherent and clear order. All critical assets were identified (access control systems, passwords, OpenMRS system, health information, administrators, clinicians).|
|Existing controls (20%)||Little evidence of investigation of existing controls.||Poor paragraph structure, grammar and spelling. Claims about lack of existing controls without supporting evidence.||Well-written paragraph. Process for searching for controls is well-documented.||Documentation of extensive search for existing controls and discovery of some of the less obvious controls.|
|Executive summary (20%)||No substantial executive summary.||Poorly written and not self-contained. Does not summarize all aspects of the report.||Well-written, with a substantial summary the most important information from each section of the report.||Well-written, with content ordered so that the most significant information comes first. Not very long, yet contains all of the key facts. Avoids technical jargon.|
This assignment refers students to several resources on the OpenMRS website. There are currently better resources for this assignment, but the ones provided give the students a good start on their exploration of the OpenMRS documentation. The instructor is advised to read these resources to acquaint herself with OpenMRS and its documentation before giving the assignment.
|ACM Knowledge Area/Knowledge Unit||IAS Threats and Attacks|
|ACM Topic|| Attacker goals, capabilities, and motivations (such as underground economy, digital espionage,
cyberwarfare, insider threats, hacktivism, advanced persistent threats)
|Level of Difficulty||Medium|
|Estimated Time to Completion||10 Hours|
|Author||Steven P. Crain|
|License||This activity is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.|
Suggestions for Open Source Community:
Suggestions for an open source community member who is working in conjunction with the instructor.
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License