OpenMRS Security Assessment 6
(→Comments:: Removed example report.)
(→Suggestions for Open Source Community:)
|Line 103:||Line 103:|
Latest revision as of 18:00, 8 March 2017
|Title||OpenMRS Security Assessment 6|
|Overview||Security Recommendations and Assessment Report for OpenMRS|
|Prerequisite Knowledge||Students should be able to write a well-formed technical essay.|
OpenMRS is an open-source medical record management system. It is very popular in some parts of the world, but requires work to make it compatible with Department of Health and Human Services regulations authorized by the Health Insurance Portability and Accountability Act (HIPAA). This series of assignments aims to identify specific changes that are required to achieve HIPAA compliance to use OpenMRS in the context of a small medical practice or hospital. (Larger medical practices and hospitals typically have more complex situations and unique risks that require them to conduct their own assessment.)
In this assignment, teams will produce a final security assessment for a portion of OpenMRS, making specific recommendations.
This project is a large, team-based project with several parts.
The assignment requires you to complete the risk assessment of OpenMRS and post your final assessment on the Security Assessment Wiki.
You can get to your project Wiki pages from OpenMRS Security Assessment Wiki Template. The template for this assignment is OpenMRS Security Assessment Wiki Assessment Template D, due .... Click the "edit" option at the top of the template page, copy all of the text of the template and paste it into your team's Wiki page. Then, follow the directions in the template:
- Look through all of the recommendations that you made in the previous assignment. Pick a few (preferably 5, but certainly between 3 and 7) recommendations that are the most critical for improving the security of OpenMRS.
- Write about these recommendations, following the template. Your recommendations should be specific, measurable (how can you tell if the change was made correctly and has the desired affect on security?) and realistic. Write the recommendations in a way that is clear to someone with no computer security background. Use a persuasive style.
- Write a conclusion paragraph for your assessment.
- At the top of your assessment, write an executive summary.
- Your reader will read the first sentence of the executive summary to decide if it is worth reading the whole executive summary, so make sure the first sentence makes it clear what the purpose of your assessment was, how well OpenMRS did on this as a whole, and how much improvement your recommendations will make.
- Your reader will read the executive summary to see what parts of the report are worth reading, if any. The executive summary should summarize the important points made anywhere in your report, and needs to clearly lay out your main recommendations.
The template describes various ways to earn points for this assignment. You should earn at least 30 points during this phase.
Teams create a Wiki page and add a description of their project and discussion of the challenges they faced installing the OpenMRS project.
The instructor will be creating a combined report that should be submitted to OpenMRS in combination with doing the assessment.
Start by copying each team report into a word processor document. The software I used maintained the formatting of the templates when I copied and pasted the text from the Wiki.
If supported, turn on the track changes feature to make it easier to give feedback to the team.
Commonly, the teams will make decisions in the assessment that are clearly wrong. For example, I have had teams make suggestions that would be bad for security, instead of helping it. Most commonly, they will make recommendations based on a faulty understanding of a design principle. Delete anything from the document that is clearly incorrect or bad advice.
Delete anything from the document that is poorly written, pointless or redundant.
Correct anything in the document that is on the right track, but incorrect.
Feel free to add additional comments that will help the team members learn.
Highlight any points in the document that are especially important. Also, copy these into another document where you collect the most important findings from all of the reports.
Go back through the document and tally the points, using the values provided in the templates. Poorly-written paragraphs (ones that you are embarrassed to send to OpenMRS) will have been cut out and get no points. Generally, most paragraphs, images, graphics and source code snippets are worth 2 points each. Most items in lists are worth 1 point each. Give 4 bonus points for anything you highlighted.
Provide the edited document back to the team, so that they can see what you deemed valuable and learn from the corrections.
In addition to the deliverables described here, I find it very helpful to ask the team members to each report what the contributions were of each team member. I generally give some bonus points to anyone who took on a leadership role. I also give a good grade to anyone who did a fair share of work, even if the team as a whole produced mediocre results.
Compile all of the reports together into a single document, in any reasonable and consistent order. Add sections at the beginning for a master executive summary, table of contents, context and recommendations.
Find an appropriate location in the OpenMRS talk system, and post that you have a report from your class's security assessment, and would like to know how OpenMRS would like to receive the report. It is a good idea to mention what format it is currently in and how long it is.
|ACM Knowledge Area/Knowledge Unit||SP/Professional Communication|
|ACM Topic||Writing effective technical documentation and materials|
|Level of Difficulty||Medium|
|Estimated Time to Completion||5 hours|
|Author||Steven P. Crain|
|License||This activity is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.|
Suggestions for Open Source Community:
Suggestions for an open source community member who is working in conjunction with the instructor.
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License