Modifying Without a Trace: High-level Audit Guidelines are Inadequate for Electronic Health Record Audit Mechanisms: Difference between revisions
Programsam (talk | contribs) |
Programsam (talk | contribs) |
||
| (2 intermediate revisions by the same user not shown) | |||
| Line 365: | Line 365: | ||
==== 4.2.1 Audit Test Case Template ==== | ==== 4.2.1 Audit Test Case Template ==== | ||
Test Procedure Template: | |||
# Authenticate as <''insert a registered user name''>. | |||
# Open the user interface for <''insert action phrase''>ing an <''insert object phrase''>. | |||
# Verb an <''insert object phrase''>with details. | |||
# Logout as <''insert a registered user name''>. | |||
# Authenticate as <''insert an administrator’s user name''>. | |||
# Open the audit records for today’s date. | |||
Expected Results Template: | |||
* The audit records should show that registered user <''insert action phrase''>ed an <''insert object phrase''>. | |||
* The audit records should be clearly readable and easily accessible. | |||
==== 4.2.2 Audit Test Case Example ==== | ==== 4.2.2 Audit Test Case Example ==== | ||
Example Natural Language Artifact: | |||
* CCHIT Criteria: AM 03.08.01 – The system shall provide the ability to associate orders and medications with one or more codified problems/diagnoses. | |||
Example Test Procedure: | |||
# Authenticate as Dr. Robert Alexander. | |||
# Remove the association between Theodore S. Smith’s Hypertension diagnosis and Zantac. | |||
# Add the association back between Theodore S. Smith’s Hypertension diagnosis and Zantac. | |||
# Logout as Dr. Robert Alexander. | |||
# Authenticate as Denny Hudzinger. | |||
# Open the audit records for today’s date. If necessary, focus on patient Theodore S. Smith. | |||
Example Expected Results: | |||
* The audit records should show adding and removing the association of Theodore S. Smith’s Hypertension diagnosis and Zantac, both linked to Dr. Robert Alexander, and with today’s date. | |||
* The audit records should be clearly readable and easily accessible | |||
== 5. Case Studies == | == 5. Case Studies == | ||
Section 5.1 describes the EHR systems we used in this case study. Section 5.2 describes our EHR audit mechanism assessment based on the high-level assessment criteria from Section 4.1. Then, Section 5.3 describes our low-level black-box test case evaluation of three open-source EHR systems. | |||
=== 5.1. Open-source EHR Systems Studied === | === 5.1. Open-source EHR Systems Studied === | ||
In this study, we compare and contrast audit mechanisms from three open-source EHR systems. The criteria for inclusion in this study involved (1) being open-source for ease-of-access, and (2) having a fully-functional default demo deployment available online. For this study, we assess the following EHR systems: | |||
* Open Electronic Medical Records (OpenEMR)<sup>2</sup> system, | |||
* Open Medical Record System (OpenMRS)<sup>3</sup> system, with added Access Logging Module<sup>4</sup>. | |||
* Tolven Healthcare Innovations’s Electronic Clinician Health Record (eCHR)<sup>5</sup> system, with added Performance Plugin<sup>6</sup> module | |||
A summary of these software applications appears in Table 2. | |||
=== 5.2. High-level User-based Non-repudiation Assessment === | === 5.2. High-level User-based Non-repudiation Assessment === | ||