visolveemr wrote on Saturday, September 12, 2009:
Hi Team,
This section discusses about the "Audit Control" in details.
We have framed the technical requirements based on our understanding. Your suggestions are most welcome.
Logging is a record of who did what, when on which system.
**Auditing Events**
1. Machine startup and shutdown; startup and shutdown of audit function.
2. Successful/unsuccessful login and logout of users; denial of service events.
3. Account lockout, password change
4. Add, modify, and delete actions on all objects such as
o Patient demographic/history/encounters/issues/prescriptions/immunizations/referrals/orders/reminders
o Fee sheet creation, charges modify and billing activities
o Batch communication and changes to the address book
o Authorizations done
o Changes to user accounts
o Changes to ACL
o Doctor office setup events related to facilities, Practice, Services, Layouts, Lists, Language, Forms, Calendar
o Operations on phpadmin - database
o Billing
o Scheduling
5. View Events
o PHI view/import/export/print
o Billing info
o All reports
6. Backup and restore
7. Emergency access
8. Communication events wherever appropriate
9. Other security administrative events
**Technical requirements**
1. The list of events that can be audited can be made configurable with different log levels (minimum log level – maximum log level) based on which the logging can be done.
2. Actual logging can be accomplished by a common function. All the modules only need to send the appropriate messages to that function with the required info and the log level.
3. By default, read access to the logging should be prohibited for all users. Only the privileged users can view them.
4. The logging details can be stored in a separate table and the content of the logging are:
• Date & Time
• Type of the event (login, logout, view, add, delete etc)
• ID of the user who caused the event
• Workstation that initiated the event
• The module that created the event(patient, billing)
• Status of the event (NORMAL, MINOR,MAJOR, CRITICAL, FATAL)
• Description of the event (it can vary depending upon the log level)
• Md5 digest of the event (for operation like addition, updation and deletion)
5. Audit trial GUI can contain the following formation
• From Date & Time – Calendar format
• To Date & Time – Calendar format
• Username – Combo box
• List of events - Combo box
• List of status types – Combo box
6. Once the selections are made and the submit button is pressed, the relevant log information can be displayed based on the time window
7. Irrespective of log level, all the details should be logged during the emergency access
Qns: How long we need to keep them? If more number of events are chosen to be audited and log level is set to high, the log database would grow to a larger extend.
Do share your views here.
Thanks
ViCare Team