OpenMRS Security Assessment 4

From TeachingOpenSource
Revision as of 18:37, 6 August 2024 by Heidi (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)


Title

OpenMRS Security Assessment 4

Overview

Asset Identification in OpenMRS

Prerequisites

Students must know the definition of asset in computer security and understand the breadth of resources that constitute assets. They also need to be familiar with the specific HIPAA rules that govern the kinds of identifiable and health information that must be protected (and therefor is an asset).

Learning
Objectives
After successfully completing this activity, the learner should be able to:
  1. Search through a project for use of identifiers.
  2. Practice thinking broadly about assets, not just information assets.
  3. Practice identifying and classifying threats.
Process Skills
Practiced


Background

OpenMRS is an open-source medical record management system. It is very popular in some parts of the world, but requires work to make it compatible with Department of Health and Human Services regulations authorized by the Health Insurance Portability and Accountability Act (HIPAA). This series of assignments aims to identify specific changes that are required to achieve HIPAA compliance to use OpenMRS in the context of a small medical practice or hospital. (Larger medical practices and hospitals typically have more complex situations and unique risks that require them to conduct their own assessment.)

In this assignment, teams will identify assets and threats relevant to an assigned aspect of OpenMRS.

Directions

This project is a large, team-based project with several parts.

The assignment requires you to conduct a risk assessment of OpenMRS and post your assessment on the Security Assessment Wiki.

You can get to your project Wiki pages from OpenMRS Security Assessment Wiki Template. The template for this assignment is OpenMRS Security Assessment Wiki Assessment Template B, due .... Click the "edit" option at the top of the template page, copy all of the text of the template and paste it into your team's Wiki page. Then, follow the directions in the template:

  1. Identify all of the assets that are relevant to your team's portion of the assessment. In doing this, you should search the source code and application for anything that must be protected according to the HIPAA regulations. You should also search for other relevant aspects as mentioned in the template.
  2. For each asset, identify the threat agents who could violate the security of the asset.
  3. For each asset, brainstorm the threats against the agent. Keep focus: auth teams should focus on threats that attack or circumvent authentication or authorization; accounting teams should focus on threats that attack or circumvent accountability and confidentiality teams should focus on threats that improperly access PHI.

The template describes various ways to earn points for this assignment. You should earn at least 40 points during this phase.

Deliverables

Teams create a Wiki page and add a description of their project and discussion of the challenges they faced installing the OpenMRS project.


Assessment

The instructor will grade the report after the full assessment is completed.

The instructor should look over the work of each team and provide feedback that will help the team improve their security assessment skills and the remaining portions of the assessment.

The instructor should provide time in the classroom to discuss the assessment as it progresses.


Comments

Additional Information:

ACM BoK
Area & Unit(s)

IAS/Threats and Attacks

ACM BoK
Topic(s)

Attacker goals, capabilities, and motivations (such as underground economy, digital espionage, cyberwarfare, insider threats, hacktivism, advanced persistent threats)

Difficulty

medium

Estimated Time
to Complete

20 hours

Environment /
Materials
  1. The instructor needs to a template page for this specific assignment, OpenMRS Security Assessment Wiki Assessment Template B.
Author(s)

Steven P. Crain

Source

N/A

License

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License

CC BY NC SA.png


Suggestions for Open Source Community:

Suggestions for an open source community member who is working in conjunction with the instructor.