OpenMRS Security Assessment 4

From Foss2Serve
(Difference between revisions)
Jump to: navigation, search
(Initial draft, mostly just copied from previous assignment at this point.)
 
(Suggestions for Open Source Community:)
 
(4 intermediate revisions by 2 users not shown)
Line 1: Line 1:
=== Preparation: ===
+
__NOTOC__
 
+
 
{| border="1"
 
{| border="1"
 
|-  
 
|-  
|'''Description''' || Asset Identification in OpenMRS.
+
|'''Title''' || OpenMRS Security Assessment 4
|-
+
|'''Source''' || Steven P. Crain
+
 
|-
 
|-
 +
|'''Overview''' || Asset Identification in OpenMRS
 +
|-
 
|'''Prerequisite Knowledge''' || Students must know the definition of asset in computer security and understand the breadth of resources that constitute assets. They also need to be familiar with the specific HIPAA rules that govern the kinds of identifiable and health information that must be protected (and therefor is an asset).
 
|'''Prerequisite Knowledge''' || Students must know the definition of asset in computer security and understand the breadth of resources that constitute assets. They also need to be familiar with the specific HIPAA rules that govern the kinds of identifiable and health information that must be protected (and therefor is an asset).
|-
 
|'''Estimated Time to Completion''' ||20 hours
 
 
|-
 
|-
 
|'''Learning Objectives''' ||
 
|'''Learning Objectives''' ||
 
#    Students learn to search through a project for use of identifiers.
 
#    Students learn to search through a project for use of identifiers.
 
# Students practice thinking broadly about assets, not just information assets.
 
# Students practice thinking broadly about assets, not just information assets.
 
+
# Students practice identifying and classifying threats.
TODO: have edited up to here.
+
 
+
# Students develop trouble-shooting skills.
+
# Students gain experience working with an HFOSS community to get help installing the project.
+
|-
+
|'''Materials/Environment''' ||
+
# The instructor needs to a template page for this specific assignment, [[OpenMRS Security Assessment Wiki Assessment Template A]].
+
# Students need access to a computer that runs Linux. Most students prefer to use a virtual machine on one of their laptop computers, but it may be necessary to provide a Linux server for students to use.
+
# As of the present, the biggest challenge students face is getting a version of Java that works with OpenMRS (some people get it to work with Java 8, but most have to go back to Java 6).
+
|-
+
|'''Rights''' || [[File:Creativecommons-by-nc-sa-40.png]] This activity is licensed under a [http://creativecommons.org/licenses/by-nc-sa/4.0/ Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License].
+
|-
+
|'''Turn In''' ||
+
# Teams create a Wiki page and add a description of their project and discussion of the challenges they faced installing the OpenMRS project.
+
 
|}
 
|}
  
Line 34: Line 17:
 
OpenMRS is an open-source medical record management system. It is very popular in some parts of the world, but requires work to make it compatible with [http://www.hhs.gov/ocr/privacy/index.html Department of Health and Human Services regulations] authorized by the Health Insurance Portability and Accountability Act (HIPAA). This series of assignments aims to identify specific changes that are required to achieve HIPAA compliance to use OpenMRS in the context of a small medical practice or hospital. (Larger medical practices and hospitals typically have more complex situations and unique risks that require them to conduct their own assessment.)
 
OpenMRS is an open-source medical record management system. It is very popular in some parts of the world, but requires work to make it compatible with [http://www.hhs.gov/ocr/privacy/index.html Department of Health and Human Services regulations] authorized by the Health Insurance Portability and Accountability Act (HIPAA). This series of assignments aims to identify specific changes that are required to achieve HIPAA compliance to use OpenMRS in the context of a small medical practice or hospital. (Larger medical practices and hospitals typically have more complex situations and unique risks that require them to conduct their own assessment.)
  
In this assignment, teams will install the parts of the OpenMRS project that are relevant to their individual assignments and document the process.
+
In this assignment, teams will identify assets and threats relevant to an assigned aspect of OpenMRS.
  
=== Instructor Notes: ===
+
=== Directions: ===
Allocate time in lecture before this assignment to select the teams. The overall assessment is broken down into 9 parts, with one team assigned to each part. Ideally, you want 3–5 students per team, so this break down of the assessment is appropriate for classes of 15–45 students. For smaller classes, you should reduce the number of options you make available to the students. For larger classes, you should consider conducting a security assessment of some additional modules. You can consult with the OpenMRS community to find out what modules would be the most valuable to assess.
+
  
Write up the assessment areas on the board, in a 3 by 3 grid. Leave room to add names with each project. Across the top:
+
This project is a large, team-based project with several parts.
# Database: Explain that this assessment will focus on the MySQL database. Students who work on this part of the project will learn a great deal about database security. They will also learn how MySQL interacts with the operating system, because a great deal of database security vulnerabilities happen outside the database proper.
+
# API layer: The API layer is a Java application that provides the core business logic of OpenMRS. As such, it is responsible to provide complete mediation to the data, and is critical for security. Teams working in this layer will learn about security in enterprise Java applications.
+
# WebApp layer: The Webapp is a default implementation, providing a working user interface that uses the API layer to make a useful Patient Record Management System. Far from being a cheesy demo app, this is a robust user interface that is used by nearly all OpenMRS installations. Teams working in this layer will learn about security in Web applications.
+
  
Along one side, add the focus areas for assessment.
+
The assignment requires you to conduct a risk assessment of OpenMRS and post your assessment on the Security Assessment Wiki.
# Authentication and Access Control. This focuses on how the layer under investigation manages authentication and authorization. The students working on this aspect should examine the access control protecting each asset in their assigned layer. They should make sure that the access control mechanisms are adequate to provide protection of the assets, that they are consistently applied and that there is no way to access the assets (including reading, modifying, deleting, moving or renaming and obstructing access) without successful access control.
+
# Audit. This focuses on how the layer under investigation manages auditing of access to the assets. Auditing is often neglected, but is critical in security generally and especially or HIPAA compliance. Advise students that auditing is weak to nonexistent in OpenMRS, so students selecting this aspect should expect to make recommendation on what kinds of auditing would be appropriate to add to the project. Audit systems make records of events that could end up being significant for security. In a typical audit system, these events relate to the state of the system (e.g. when it is started up or shut down), authentication events (who logs on and who logs off or is otherwise disconnected) and data modification events. In a HIPAA setting, the audit system also needs to record reading and transmitting PHI. A typical audit trail entry records the familiar who-what-when-where-why information about the event.
+
# Confidentiality. Unlike the other two aspects (access control and audit), this steps back from the technology and mechanics of security to take a direct look at the human goal of HIPAA, protecting patient privacy. Students should look at the system from the point of view of making sure access to PHI is not just authorized, but is respectful of patient privacy.  
+
  
After discussing the format of the grid, invite students to come forward and sign up for which part of the project they want to work on. Work with the students to get teams of 3–5 students on each focus area. When I fielded this assignment, it really helped to have enough people, especially when struggling to get OpenMRS set up so they could do the assessment. On the other hand, it is fine if you do not have teams working on some of the focal areas.
+
You can get to your project Wiki pages from [[OpenMRS Security Assessment Wiki Template]]. The template for this assignment is [[OpenMRS Security Assessment Wiki Assessment Template B]], due .... Click the "edit" option at the top of the template page, copy all of the text of the template and paste it into your team's Wiki page. Then, follow the directions in the template:
  
While students are working on the project, a large number of issues are likely to come up. OpenMRS is much more complicated than anything the students have installed before, and it will stretch even an experienced system administrator's skills. Encourage the students to plan plenty of time trying to get it set up, but also help them to relax. While it is best to have their own OpenMRS install for the assessment so they can run it in a debugger, etc, plenty of my teams had great success just looking over the source code or using the demo installation hosted on the OpenMRS web site.
+
# Identify all of the assets that are relevant to your team's portion of the assessment. In doing this, you should search the source code and application for anything that must be protected according to the HIPAA regulations. You should also search for other relevant aspects as mentioned in the template.
 +
# For each asset, identify the threat agents who could violate the security of the asset.
 +
# For each asset, brainstorm the threats against the agent. Keep focus: auth teams should focus on threats that attack or circumvent authentication or authorization; accounting teams should focus on threats that attack or circumvent accountability and confidentiality teams should focus on threats that improperly access PHI.
  
At the bottom of [[OpenMRS Security Assessment Wiki Assessment Template A]] contains a list of advice from students who have done this assignment in the past. Please consider adding any advice that your students produce, being mindful of FERPA considerations.
+
The template describes various ways to earn points for this assignment. You should earn at least 40 points during this phase.
  
=== Directions: ===
+
=== Deliverables: ===
 +
Teams create a Wiki page and add a description of their project and discussion of the challenges they faced installing the OpenMRS project.
  
This project is a large, team-based project with several parts.
 
  
The assignment requires you to conduct a risk assessment of OpenMRS and post your assessment on the Security Assessment Wiki.
+
=== Assessment: ===
  
You can get to your project Wiki pages from [[OpenMRS Security Assessment Wiki Template]]. The assignments are described in template pages, starting with [[OpenMRS Security Assessment Wiki Assessment Template A]] for 5/1. Click the "edit" option at the top of the template page, copy all of the text of the template and paste it into your team's Wiki page. Then, follow the directions in the template:
+
The instructor will grade the report after the full assessment is completed.
  
# Describe the part of the OpenMRS Security Assessment that was assigned to your team.
+
The instructor should look over the work of each team and provide feedback that will help the team improve their security assessment skills and the remaining portions of the assessment.
# Install whatever is needed so that you will be able to conduct the assessment. Notes of what you will need are provided on [[OpenMRS Security Assessment Wiki Template]]. You should also make liberal use of the instructor and the [https://talk.openmrs.org/c/implementing OpenMRS Talk Installation Help Chatboard].
+
  
The template describes various ways to earn points for this assignment. You should earn at least 10 points during this phase.
+
The instructor should provide time in the classroom to discuss the assessment as it progresses.
 +
 
 +
 
 +
 
 +
=== Comments: ===
 +
 
 +
=== Additional Information: ===
 +
{| border="1"
 +
|-
 +
|'''ACM Knowledge Area/Knowledge Unit''' || IAS/Threats and Attacks
 +
|-
 +
|'''ACM Topic''' || Attacker goals, capabilities, and motivations (such as underground economy, digital espionage,
 +
cyberwarfare, insider threats, hacktivism, advanced persistent threats)
 +
|-
 +
|'''Level of Difficulty''' || Medium
 +
|-
 +
|'''Estimated Time to Completion''' ||  20 hours
 +
|-
 +
|'''Materials/Environment''' ||
 +
# The instructor needs to a template page for this specific assignment, [[OpenMRS Security Assessment Wiki Assessment Template B]].  
 +
 
 +
|-
 +
|'''Author''' || Steven P. Crain 
 +
|-
 +
|'''Source''' || N/A
 +
|-
 +
|'''License''' || [[File:Creativecommons-by-nc-sa-40.png]] This activity is licensed under a [http://creativecommons.org/licenses/by-nc-sa/4.0/ Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License].
 +
|}
  
 +
=== Suggestions for Open Source Community: ===
 +
Suggestions for an open source community member who is working in conjunction with the instructor.
  
 
--------------------
 
--------------------
Line 78: Line 84:
 
[[Category: OpenMRS]]
 
[[Category: OpenMRS]]
 
[[Category: Privacy_and_Security]]
 
[[Category: Privacy_and_Security]]
 +
[[Category: Good Draft]]

Latest revision as of 17:56, 8 March 2017

Title OpenMRS Security Assessment 4
Overview Asset Identification in OpenMRS
Prerequisite Knowledge Students must know the definition of asset in computer security and understand the breadth of resources that constitute assets. They also need to be familiar with the specific HIPAA rules that govern the kinds of identifiable and health information that must be protected (and therefor is an asset).
Learning Objectives
  1. Students learn to search through a project for use of identifiers.
  2. Students practice thinking broadly about assets, not just information assets.
  3. Students practice identifying and classifying threats.

Background:

OpenMRS is an open-source medical record management system. It is very popular in some parts of the world, but requires work to make it compatible with Department of Health and Human Services regulations authorized by the Health Insurance Portability and Accountability Act (HIPAA). This series of assignments aims to identify specific changes that are required to achieve HIPAA compliance to use OpenMRS in the context of a small medical practice or hospital. (Larger medical practices and hospitals typically have more complex situations and unique risks that require them to conduct their own assessment.)

In this assignment, teams will identify assets and threats relevant to an assigned aspect of OpenMRS.

Directions:

This project is a large, team-based project with several parts.

The assignment requires you to conduct a risk assessment of OpenMRS and post your assessment on the Security Assessment Wiki.

You can get to your project Wiki pages from OpenMRS Security Assessment Wiki Template. The template for this assignment is OpenMRS Security Assessment Wiki Assessment Template B, due .... Click the "edit" option at the top of the template page, copy all of the text of the template and paste it into your team's Wiki page. Then, follow the directions in the template:

  1. Identify all of the assets that are relevant to your team's portion of the assessment. In doing this, you should search the source code and application for anything that must be protected according to the HIPAA regulations. You should also search for other relevant aspects as mentioned in the template.
  2. For each asset, identify the threat agents who could violate the security of the asset.
  3. For each asset, brainstorm the threats against the agent. Keep focus: auth teams should focus on threats that attack or circumvent authentication or authorization; accounting teams should focus on threats that attack or circumvent accountability and confidentiality teams should focus on threats that improperly access PHI.

The template describes various ways to earn points for this assignment. You should earn at least 40 points during this phase.

Deliverables:

Teams create a Wiki page and add a description of their project and discussion of the challenges they faced installing the OpenMRS project.


Assessment:

The instructor will grade the report after the full assessment is completed.

The instructor should look over the work of each team and provide feedback that will help the team improve their security assessment skills and the remaining portions of the assessment.

The instructor should provide time in the classroom to discuss the assessment as it progresses.


Comments:

Additional Information:

ACM Knowledge Area/Knowledge Unit IAS/Threats and Attacks
ACM Topic Attacker goals, capabilities, and motivations (such as underground economy, digital espionage,

cyberwarfare, insider threats, hacktivism, advanced persistent threats)

Level of Difficulty Medium
Estimated Time to Completion 20 hours
Materials/Environment
  1. The instructor needs to a template page for this specific assignment, OpenMRS Security Assessment Wiki Assessment Template B.
Author Steven P. Crain
Source N/A
License Creativecommons-by-nc-sa-40.png This activity is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Suggestions for Open Source Community:

Suggestions for an open source community member who is working in conjunction with the instructor.


This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License

Creativecommons-by-nc-sa-40.png

Personal tools
Namespaces
Variants
Actions
Events
Learning Resources
HFOSS Projects
Evaluation
Navigation
Toolbox