OpenMRS Security Assessment 2
|Description||Students interview members of the OpenMRS community to gather information for the security assessment.|
|Source||Steven P. Crain|
|Prerequisite Knowledge||Students must have had a broad exposure to computer security, including Confidentiality-Integrity-Availability, Authentication-Authorization-Auditing, security design principles, database-specific security considerations and the risk assessment process. They also need an introductory knowledge of using Wikis and Internet Relay Chat (IRC) for Humanitarian Free and Open Source Software (HFOSS) project communication.|
|Estimated Time to Completion||10 hours|
|Rights||This activity is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.|
OpenMRS is an open-source medical record management system. It is very popular in some parts of the world, but requires work to make it compatible with Department of Health and Human Services regulations authorized by the Health Insurance Portability and Accountability Act (HIPAA). This series of assignments aims to identify specific changes that are required to achieve HIPAA compliance to use OpenMRS in the context of a small medical practice or hospital. (Larger medical practices and hospitals typically have more complex situations and unique risks that require them to conduct their own assessment.)
Before beginning this assignment, students should be familiar with the material in a computer security textbook on risk assessment. We used Stallings and Brown, Computer Security: Principles and Practice, 3rd ed., Prentice Hall, 2015, chapter 14.
In this assignment, students use a Wiki to organize the questions they created in OpenMRS Security Assessment 1, in preparation for interviewing members of the OpenMRS community in OpenMRS Security Assessment 3. Wikis are commonly used by Free and Open Source Software projects for their documentation, so this assignment provides valuable experience with this tool.
The interviews themselves are conducted using Internet Relay Chat (IRC), a tool that enables open source developers all over the world communicate instantly, even if they have very low Internet bandwidth.
This assignment was not nearly as successful as I had hoped. I did not coordinate with the OpenMRS community before the assignment, and the IRC channels were too quiet when the students attempted this. The students found this very frustrating, as they were looking forward to talking to real OpenMRS developers! I recommend that you join a OpenMRS Developer's Forum well before the assignment, and discuss how best to adjust this assignment for a positive experience.
In this assignment, you will be preparing for and conducting interviews. We will use the OpenMRS Security Assessment Wiki Interview Questions Template to organize and coordinate the interviews. This assignment must be completed in groups of 3–4 students.
Part 1 Due Wednesday 4/22
Edit the OpenMRS Security Assessment Wiki Interview Questions Template, adding the questions that you prepared in part 5 of Project 4. I provided a bunch of categories of questions, based on the kinds of questions that are normally asked in a risk assessment like this. Feel free to add additional categories if your question does not really fit well. If another team asked a similar question, you do not need to add it again.
If another team has put a question in the wrong category, or if you think it could be worded better, please make the appropriate changes. This is a WIKI, after all.
Participation in this section is worth 10 points.
The instructor will review each of the proposed questions, and will approve questions that are respectful, appropriate and useful for this security assessment.
Part 2 Due Friday 4/24
Sign up for at least 2 approved questions per team by editing the WIKI page. See the instructions in the Template section at the bottom of the WIKI. You are not allowed to steal a question that another team has already signed up for.
Like most open source projects, OpenMRS uses IRC for much of the communication with developers and users. Read the OpenMRS IRC information. Work through the activity, Introduction to IRC: connect to the IRC server irc.freenode.net; chose an IRC handle that ends with "_psu"; join channel #OpenMRS; spend an hour lurking and watching the discussion that is happening in the IRC channel. During this time, it is important that your whole team is connected (either personally or as a group) and paying attention to the activity on IRC. Write a short document (one to three paragraphs, 20 pts) that discusses what was going on in the IRC channel during this time. Submit the paragraph for this assignment.
Part 3 Due Tuesday 4/28
Connect again to the IRC channel #OpenMRS on Freenode. Lurk long enough to make sure that it seems appropriate to ask your interview questions. (Do not try to ask your questions while another team is asking questions or if something else important is being discussed.)
Use a handle that ends with "_psu," mostly so you can coordinate with your classmates. Introduce yourself, saying that you are working on a class project at Plattsburgh State University. Ask one of your questions. Wait for a reply. If there is no reply, make note on the WIKI that there was no reply and try again about 3 hours later. If there is still no reply, record your second attempt on the WIKI and you have completed the assignment. If the reply raises other thoughts or questions, carry on a conversation with the other person or people on IRC that explores their answer in more detail. Record the conversation on the WIKI page. If the first question generated substantial discussion (at least 3 people replied or there were a total of 7 or more replies) or negative replies ("stop bugging us") you are done with the assignment. Otherwise, ask your second question, running through steps 4, 6 and 7.
This part of the assignment is worth 30 points. Record your conversations on the OpenMRS Security Assessment Wiki Interview Questions Template, under the appropriate questions.
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License