OpenMRS Security Assessment 5
|Title||OpenMRS Security Assessment 5|
|Overview||Controls and Design in OpenMRS|
|Prerequisite Knowledge||Students must know commonly used mechanisms for defending against threats. They also need to know security design principles and be ready to apply them to assess a real-world project.|
OpenMRS is an open-source medical record management system. It is very popular in some parts of the world, but requires work to make it compatible with Department of Health and Human Services regulations authorized by the Health Insurance Portability and Accountability Act (HIPAA). This series of assignments aims to identify specific changes that are required to achieve HIPAA compliance to use OpenMRS in the context of a small medical practice or hospital. (Larger medical practices and hospitals typically have more complex situations and unique risks that require them to conduct their own assessment.)
In this assignment, teams will investigate what existing controls OpenMRS has that would defend against specific threats. They will also use the security design principles to assess how design decisions made when developing OpenMRS affect security.
This project is a large, team-based project with several parts.
The assignment requires you to conduct a risk assessment of OpenMRS and post your assessment on the Security Assessment Wiki.
You can get to your project Wiki pages from OpenMRS Security Assessment Wiki Template. The template for this assignment is OpenMRS Security Assessment Wiki Assessment Template C, due .... Click the "edit" option at the top of the template page, copy all of the text of the template and paste it into your team's Wiki page. Then, follow the directions in the template:
- Sort the threats you identified in the previous assignment according to the level of risk.
- Evaluate OpenMRS's preparedness for the 7-10 threats with the greatest risk. Certainly assess every threat that presents extreme risk.
- For each threat that you assess, start by searching the OpenMRS documentation for any reference to the threat. Next, brainstorm as a group the ways that you could protect against this kind of threat. During this process, it may be helpful to search the textbook and the Web for suggestions. (Keep notes so that you can reference relevant pages in OpenMRS, the textbook or the Web in your report.) Finally, search the application and source code for evidence that OpenMRS attempts to defend against this threat.
- Determine what changes OpenMRS should make to reduce the risk of the threat. These changes can reduce the likelihood of a successful attack or reduce the cost if an attack is successful.
- Document the controls that you found and your recommendations using the format in the template.
You are aiming for 40 points in this part of the assignment. Depending on how many threats you assessed and what you wrote about it, you can also assess how well OpenMRS is designed based on the security design principles. Remember to focus on your specific aspect of the security assessment. You need to explain clearly to someone who does not know much about computer security what the design principle means in this specific context. (For example, what does complete mediation mean for confidentiality in the database?) Then assess how well OpenMRS adheres to the principle, and assign a letter grade to OpenMRS.
The template describes various ways to earn points for this assignment. You should earn at least 40 points during this phase.
Teams create a Wiki page and add a description of their project and discussion of the challenges they faced installing the OpenMRS project.
The instructor will grade the report after the full assessment is completed.
The instructor should look over the work of each team and provide feedback that will help the team improve their security assessment skills and the remaining portions of the assessment.
The instructor should provide time in the classroom to discuss the assessment as it progresses.
|ACM Knowledge Area/Knowledge Unit||IAS/Threats and Attacks|
|ACM Topic|| Attacker goals, capabilities, and motivations (such as underground economy, digital espionage,
cyberwarfare, insider threats, hacktivism, advanced persistent threats)
|Level of Difficulty||Challenging|
|Estimated Time to Completion||25 hours|
|Author||Steven P. Crain|
|License||This activity is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.|
Suggestions for Open Source Community:
Suggestions for an open source community member who is working in conjunction with the instructor.
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License