Stream: implementers
Topic: AuditEvent recording in CapababilityStatement
Rick Geimer (Mar 02 2020 at 22:02):
This is to discuss https://jira.hl7.org/browse/FHIR-24691
During presentation of the FHIR Privacy and Security webinar, when discussing that some FHIR Servers have a remedial auditEvent recording of basic REST actions, it was asked if that was discoverable in a CapabilityStatement.
When an ImplementationGuide defines manditory AuditEvent conformance, this knowledge is already supported in the CapabilityStatement. So this is not a replacement of more actionable knowledge about support for an actor within an Implementation Guide.
Could this be conveyed as a type of security?
Should there be a set of codes to indicate basic restful auditevents, vs basic restful provenance, or both?
Grahame Grieve (Mar 02 2020 at 22:23):
this fits nicely into the proposed re-work of CapabilityStatemnet
John Moehrke (Mar 02 2020 at 22:26):
Im interested. I was figureing this might be simply handled with the definition of an IG specific to Security/Privacy audit logging. Where by the declaration that an endpoint supports that IG, one knows they can find the events logged...
John Moehrke (Apr 26 2021 at 11:57):
I tried to understand what it takes to leverage the new CapabilityStatement2 model. I am unclear where the conformance details exist.
Whereas I have started solving this problem the classic way with an Implementation Guide - http://build.fhir.org/ig/JohnMoehrke/BasicAudit/branches/main/index.html
Lloyd McKenzie (Apr 26 2021 at 17:22):
You need to figure out what codes you want IG authors to be able to declare values for related to AuditEvent support.
John Moehrke (Apr 26 2021 at 19:00):
I am still unclear. My understanding is that somewhere I would define a set of codes representing various kinds of "auditEven recording capabilities", and that these codes would have defined values available for them. These codes and values don't exist already... as far as I understand.
More to my point... where would the normative behaviors for each given code and value pair be documented?
John Moehrke (Apr 26 2021 at 19:00):
It seems that this is far easier and more clear how to do this with an ImplementationGuide
Lloyd McKenzie (Apr 26 2021 at 20:51):
Not completely following. In the end, you need to define some codes and what they mean so they can be used in CapabilityStatement. Yes, you could do that as part of an IG if you wished.
John Moehrke (Apr 27 2021 at 11:12):
what is the alternative documentation model for these codes besides an IG? And if an IG is used, then current CapabilityStatement is mostly enough (need actor decoration to an IG canonical conformance claim).
Lloyd McKenzie (Apr 27 2021 at 13:59):
It's only enough if you expect to define distinct CapabilityStatements for every function - which isn't really what CapabilityStatements are intended for.
Lloyd McKenzie (Apr 27 2021 at 13:59):
Also, you wouldn't be able to query and say "Does this system support X"
Last updated: Apr 12 2022 at 19:14 UTC
