The LibreHealth EHR Security Assessment Infrastructure project aims to create an automated CVSS scoring system integrated with GitLab CI/CD to continuously evaluate and monitor security vulnerabilities across critical Meaningful Use (MU) certification workflows. This infrastructure will provide systematic security assessment, enabling early detection and mitigation of potential vulnerabilities.
The project focuses on implementing comprehensive integration testing for key clinical workflows while incorporating CVSS scoring to quantify potential security risks. This automated approach will ensure consistent security evaluation with each code change or release, maintaining a robust security posture for the EHR system.
The deliverables of the project are as follows:
- Develop automated integration tests covering the specified MU workflows
- Create a CVSS scoring framework that evaluates security aspects of each workflow
- Implement GitLab CI/CD pipeline integration for automated security assessment
- Generate comprehensive security reports with detailed CVSS metrics
- Provide documentation for maintaining and extending the security assessment infrastructure
- Create remediation guidelines for common vulnerability patterns
CVSS Scoring Implementation:
- Implement automated scanning for common vulnerability patterns
- Create custom scoring rules for healthcare-specific security concerns
- Generate CVSS v3.1 scores for identified vulnerabilities
- Track security metrics over time
- Provide trend analysis for security posture
CI/CD Integration:
- Configure GitLab CI/CD pipelines for automated testing
- Implement security gates based on CVSS scores
- Create notification systems for security issues
- Generate security reports for each build/release
- Archive security metrics for trend analysis
Preliminary tasks:
- Map all target workflows and their components
- Create initial integration test framework
- Implement basic CVSS scoring for a sample workflow
- Set up GitLab CI/CD pipeline structure
A developer working on this project needs to have skills in:
- PHP and JavaScript testing frameworks
- Security testing and vulnerability assessment
- CVSS scoring methodology and implementation
- GitLab CI/CD configuration and pipeline development
- Healthcare workflow analysis and testing
- Integration testing methodologies
- Documentation and technical writing
Project size: Large (~350 hours)
Mentors: @muarachmann and @sunbiz