Modifying Without a Trace: High-level Audit Guidelines are Inadequate for Electronic Health Record Audit Mechanisms: Difference between revisions
Programsam (talk | contribs) |
Programsam (talk | contribs) No edit summary |
||
| Line 106: | Line 106: | ||
Combining all four sets of data, we collect 60 total non-specific auditable events and event types. After combining duplicates, our set contains 28 unique auditable events and event types. The only item appearing in all four suggested auditable events sets is “security administration event”, suggesting all four sources are concerned about software security. Out of the 28 unique events, 18 (64.3%) are contained in at least two of the source sets. Ten events (35.7%) are only contained in one source set. The overlap among the four sources suggests some common understanding and agreement of general events that should be logged, yet the disparity seems to indicate disagreement about the scope and breadth of auditable events. Table 1 provides a comparison of the four source sets of non-specific auditable events and event types. | Combining all four sets of data, we collect 60 total non-specific auditable events and event types. After combining duplicates, our set contains 28 unique auditable events and event types. The only item appearing in all four suggested auditable events sets is “security administration event”, suggesting all four sources are concerned about software security. Out of the 28 unique events, 18 (64.3%) are contained in at least two of the source sets. Ten events (35.7%) are only contained in one source set. The overlap among the four sources suggests some common understanding and agreement of general events that should be logged, yet the disparity seems to indicate disagreement about the scope and breadth of auditable events. Table 1 provides a comparison of the four source sets of non-specific auditable events and event types. | ||
{| class="wikitable" style="text-align: left; width: 100%;" | |||
|+ Table 1. A comparison of auditable events by source, with a categorization of events affecting user-based non-repudiation | |||
! Auditable Events | |||
! colspan=4 | Source of Software Audit mechanism Checklist | |||
! Affects User-based Non-repudiation | |||
|- | |||
| ''Log Entry Item'' | |||
| ''Chuvakin and Peterson<sup>[3]</sup>'' | |||
| ''CCHIT<sup>[2]</sup>'' | |||
| ''SANS<sup>[7]</sup>'' | |||
| ''IEEE<sup>[6]</sup>'' | |||
| ''(Yes or No)'' | |||
|- | |||
| System startup | |||
| X | |||
| X | |||
| X | |||
| | |||
| N | |||
|- | |||
| System shutdown | |||
| X | |||
| X | |||
| X | |||
| | |||
| N | |||
|- | |||
| System restart | |||
| | |||
| | |||
| X | |||
| | |||
| N | |||
|- style="font-weight: bold; background-color: #EEEEEE" | |||
| User login/logout | |||
| X | |||
| X | |||
| X | |||
| | |||
| Y | |||
|- style="font-weight: bold; background-color: #EEEEEE" | |||
| Session timeout | |||
| | |||
| X | |||
| | |||
| | |||
| Y | |||
|- style="font-weight: bold; background-color: #EEEEEE" | |||
| Account lockout | |||
| | |||
| X | |||
| | |||
| | |||
| Y | |||
|- style="font-weight: bold; background-color: #EEEEEE" | |||
| Create data | |||
| X | |||
| X | |||
| X | |||
| | |||
| Y | |||
|- style="font-weight: bold; background-color: #EEEEEE" | |||
| Update data | |||
| X | |||
| X | |||
| X | |||
| | |||
| Y | |||
|- style="font-weight: bold; background-color: #EEEEEE" | |||
| Delete data | |||
| X | |||
| X | |||
| X | |||
| | |||
| Y | |||
|- style="font-weight: bold; background-color: #EEEEEE" | |||
| View data | |||
| X | |||
| X | |||
| X | |||
| | |||
| Y | |||
|- style="font-weight: bold; background-color: #EEEEEE" | |||
| Query data | |||
| | |||
| X | |||
| | |||
| | |||
| Y | |||
|- | |||
| Node-authentication failure | |||
| X | |||
| X | |||
| X | |||
| | |||
| N | |||
|- style="font-weight: bold; background-color: #EEEEEE" | |||
| Signature created/validated | |||
| | |||
| X | |||
| | |||
| | |||
| Y | |||
|- style="font-weight: bold; background-color: #EEEEEE" | |||
| Export data | |||
| | |||
| X | |||
| | |||
| | |||
| Y | |||
|- style="font-weight: bold; background-color: #EEEEEE" | |||
| Import data | |||
| | |||
| X | |||
| | |||
| | |||
| Y | |||
|- | |||
| Security administration event | |||
| X | |||
| X | |||
| X | |||
| X | |||
| N | |||
|- | |||
| Scheduling | |||
| | |||
| X | |||
| | |||
| | |||
| N | |||
|- style="font-weight: bold; background-color: #EEEEEE" | |||
| System backup | |||
| X | |||
| X | |||
| | |||
| | |||
| Y | |||
|- style="font-weight: bold; background-color: #EEEEEE" | |||
| System restore | |||
| | |||
| X | |||
| | |||
| | |||
| Y | |||
|- | |||
| Initiate a network connection | |||
| X | |||
| | |||
| X | |||
| X | |||
| N | |||
|- | |||
| Accept a network connection | |||
| | |||
| | |||
| X | |||
| X | |||
| N | |||
|- style="font-weight: bold; background-color: #EEEEEE" | |||
| Grant access rights | |||
| X | |||
| | |||
| X | |||
| X | |||
| Y | |||
|- style="font-weight: bold; background-color: #EEEEEE" | |||
| Modify access rights | |||
| X | |||
| | |||
| X | |||
| X | |||
| Y | |||
|- style="font-weight: bold; background-color: #EEEEEE" | |||
| Revoke access rights | |||
| X | |||
| | |||
| X | |||
| X | |||
| Y | |||
|- | |||
| System, network, or services changes | |||
| X | |||
| | |||
| X | |||
| X | |||
| N | |||
|- | |||
| Application process abort/failure/abnormal end | |||
| X | |||
| | |||
| X | |||
| | |||
| N | |||
|- | |||
| Detection of malicious activity | |||
| X | |||
| | |||
| X | |||
| | |||
| N | |||
|- | |||
| Changes to audit log configuration | |||
| | |||
| | |||
| | |||
| X | |||
| N | |||
|} | |||
Next, we categorize each individual auditable event or event type from Table 1 into one of two categories: events that ''affect'' user-based non-repudiation, and events that ''do not affect'' user-based non-repudiation. Our categorization is denoted in Table 1 under the “Affects User-based Non-repudiation” column. When categorizing these events, we determine if the given event can be traced to a specific user accountholder in an EHR system. If so, we categorize this event as one that affects user-based non-repudiation. If the event cannot be traced to a specific user accountholder, we categorize the event as one that does not affect user-based non-repudiation. For example, the “view data” event suggests a user accountholder (such as a physician) has authenticated into an EHR system and is viewing protected patient health information. The action of viewing this protected data can be traced to the physician’s user account. Therefore, this event is categorized as one that does affect user-based non-repudiation. On the other hand, an “application process failure” does not suggest any intervention by a user accountholder. Instead, this event suggests an internal EHR system state change. Therefore, we categorize this event as not affecting user-based non-repudiation. | Next, we categorize each individual auditable event or event type from Table 1 into one of two categories: events that ''affect'' user-based non-repudiation, and events that ''do not affect'' user-based non-repudiation. Our categorization is denoted in Table 1 under the “Affects User-based Non-repudiation” column. When categorizing these events, we determine if the given event can be traced to a specific user accountholder in an EHR system. If so, we categorize this event as one that affects user-based non-repudiation. If the event cannot be traced to a specific user accountholder, we categorize the event as one that does not affect user-based non-repudiation. For example, the “view data” event suggests a user accountholder (such as a physician) has authenticated into an EHR system and is viewing protected patient health information. The action of viewing this protected data can be traced to the physician’s user account. Therefore, this event is categorized as one that does affect user-based non-repudiation. On the other hand, an “application process failure” does not suggest any intervention by a user accountholder. Instead, this event suggests an internal EHR system state change. Therefore, we categorize this event as not affecting user-based non-repudiation. | ||