OpenMRS Security Assessment 3
|Description||Students set up the OpenMRS infrastructure they will need for the assessment.|
|Source||Steven P. Crain|
|Prerequisite Knowledge||Students must have had a broad exposure to computer security, including Confidentiality-Integrity-Availability, Authentication-Authorization-Auditing, security design principles, database-specific security considerations and the risk assessment process.|
|Estimated Time to Completion||10 hours|
|Rights||This activity is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.|
OpenMRS is an open-source medical record management system. It is very popular in some parts of the world, but requires work to make it compatible with Department of Health and Human Services regulations authorized by the Health Insurance Portability and Accountability Act (HIPAA). This series of assignments aims to identify specific changes that are required to achieve HIPAA compliance to use OpenMRS in the context of a small medical practice or hospital. (Larger medical practices and hospitals typically have more complex situations and unique risks that require them to conduct their own assessment.)
In this assignment, teams will install the parts of the OpenMRS project that are relevant to their individual assignments and document the process.
Allocate time in lecture before this assignment to select the teams. The overall assessment is broken down into 9 parts, with one team assigned to each part. Ideally, you want 3–5 students per team, so this break down of the assessment is appropriate for classes of 15–45 students. For smaller classes, you should reduce the number of options you make available to the students. For larger classes, you should consider conducting a security assessment of some additional modules. You can consult with the OpenMRS community to find out what modules would be the most valuable to assess.
Write up the assessment areas on the board, in a 3 by 3 grid. Leave room to add names with each project. Across the top:
- Database: Explain that this assessment will focus on the MySQL database. Students who work on this part of the project will learn a great deal about database security. They will also learn how MySQL interacts with the operating system, because a great deal of database security vulnerabilities happen outside the database proper.
- API layer: The API layer is a Java application that provides the core business logic of OpenMRS. As such, it is responsible to provide complete mediation to the data, and is critical for security. Teams working in this layer will learn about security in enterprise Java applications.
- WebApp layer: The Webapp is a default implementation, providing a working user interface that uses the API layer to make a useful Patient Record Management System. Far from being a cheesy demo app, this is a robust user interface that is used by nearly all OpenMRS installations. Teams working in this layer will learn about security in Web applications.
Along one side, add the focus areas for assessment.
- Authentication and Access Control. This focuses on
This project is a large, team-based project with several parts.
The assignment requires you to conduct a risk assessment of OpenMRS and post your assessment on the Security Assessment Wiki.
You can get to your project Wiki pages from OpenMRS Security Assessment Wiki Template. The assignments are described in template pages, starting with OpenMRS Security Assessment Wiki Assessment Template A for 5/1. Click the "edit" option at the top of the template page, copy all of the text of the template and paste it into your team's Wiki page. Then, follow the directions in the template:
- Describe the part of the OpenMRS Security Assessment that was assigned to your team.
- Install whatever is needed so that you will be able to conduct the assessment. Notes of what you will need are provided on OpenMRS Security Assessment Wiki Template. You should also make liberal use of the instructor and the OpenMRS Talk Installation Help Chatboard.
The template describes various ways to earn points for this assignment. You should earn at least 10 points during this phase.
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License