Modifying Without a Trace: High-level Audit Guidelines are Inadequate for Electronic Health Record Audit Mechanisms

J. King, B. Smith, L. Williams, "Modifying Without a Trace: General Audit Guidelines are Inadequate for Electronic Health Record Audit Mechanisms", Proceedings of the International Health Informatics Symposium (IHI 2012), pp. 305-314, 2012.

Without adequate audit mechanisms, electronic health record (EHR) systems remain vulnerable to undetected misuse. Users could modify or delete protected health information without these actions being traceable. The objective of this paper is to assess electronic health record audit mechanisms to determine the current degree of auditing for non-repudiation and determine if high-level audit guidelines adequately address non-repudiation. We qualitatively assess three open-source EHR systems. In our high-level analysis, we derive a set of 16 non-specific auditable event types that affect non-repudiation. We find that the EHR systems audit an average of 12.5% of non-specific event types. In our lower-level analysis, we generate 58 black-box test cases based on specific auditable events derived from the Certification Commission for Health Information certification criteria. We find that only 4.02% of these test executions pass. Additionally, 20% of tests fail in all three EHR systems on actions including the modification of patient demographics, assignment of user privileges, and change of user passwords. The ambiguous nature of non-specific auditable event types may explain the overall inadequacy of auditing for non-repudiation. EHR system developers should focus on specific auditable events for managing protected health information instead of non-specific auditable event types derived from generalized guidelines.