Modifying Without a Trace: High-level Audit Guidelines are Inadequate for Electronic Health Record Audit Mechanisms: Difference between revisions

← Older edit Newer edit →

@@ Line 97: / Line 97: @@
 ==== 4.1.1 Derivation of Non-specific Auditable Events ====
+Our high-level assessment of user-based non-repudiation first involves compiling a list of non-specific events that should be logged in software audit mechanisms, according to other researchers and standards organizations. Non-specific events include basic actions such as “viewing” and “updating”, but these events do not specify ''what information'' is viewed or updated. Our goal is to compile a set of common non-specific auditable event types for user-based non-repudiation based on the general guidelines and checklists from four academic and professional sources:
+* Chuvakin and Peterson<sup>[3]</sup> provide a general checklist of items that should be logged in web-based software applications. We collect 17 auditable events from this source.
+* The Certification Commission for Health Information Technology (CCHIT)  specifies an appendix of auditable events specific to EHR systems. CCHIT is a certification body authorized by the United States Department of Health & Human Services for the purpose of certifying EHR systems based on satisfactory compliance with government-developed criteria for meaningful use<sup>[2]</sup>. We collect 17 auditable events from this source.
+* The SysAdmin, Audit, Network, Security (SANS) Institute provides a checklist of information system audit logging requirements to help advocate appropriate and consistent audit logs in software information systems<sup>[7]</sup>. We collect 18 auditable events from this source.
+* The “IEEE Standard for Information Technology: Hardcopy Device and System Security” presents a section on best practices for logging and auditability, including a listing of suggested auditable events<sup>[6]</sup>. We collect 8 auditable events from this source.
 ==== 4.1.2 High-level Assessment Methodology ====