FHIR Chat · AuditEvent changes · Security and Privacy

Stream: Security and Privacy

Topic: AuditEvent changes

view this post on Zulip John Moehrke (Jul 08 2021 at 12:56):

With the "threat" of AuditEvent going Normative in R5, there has been a number of critical (in a good way) Change Requests. Some of them are persuasive in ways that I really would like to get critical input from the implementer community.

view this post on Zulip John Moehrke (Jul 08 2021 at 13:00):

AuditEvent.entity.lifecycle -- this element seems to not be clearly obvious what the use-case is, or how it is to be used. It has a binding to the Lifecycle Event vocabulary. Which is bringing up more concern, as the lifecycle Event vocabulary is about "Events" not "States". I had historically understood the .lifecycle element would be available to be populated with a state of that entity ---when that state is important to the event. If this is really intended to be the object lifecycle "state", then a very different vocabulary should be given, and likely be just an example set of "state" values.
The other alternative is to move it to a core extension, like we have done with other elements defined in the IETF / DICOM schema, where the element is not clearly generally needed.

view this post on Zulip John Moehrke (Jul 09 2021 at 16:48):

@Gary Dickinson -- does the ISO EHR audit specification use the lifecycle element on entity? Or does it just use lifecycle events as a events worthy of recording an auditEvent (i.e. auditEvent.subtype)? It is pointed out that the use of event vocabulary to describe an object is nonsensical. One might have a set of lifecycle states that could be used this way, but not lifecycle events.

view this post on Zulip John Moehrke (Jul 09 2021 at 16:49):

https://jira.hl7.org/browse/FHIR-32470

view this post on Zulip Gary Dickinson (Jul 09 2021 at 16:53):

John,

Let’s talk. I’m not sure I fully understand what you’re asking/suggesting.

Thanks and Regards,

Gary

view this post on Zulip John Moehrke (Jul 09 2021 at 18:42):

okay. I must say that I have just this week had an awakening to the distinction of the lifecycle events as events and that this same vocabulary is not properly (or able to be) applied as a state/status indicator. Thus it is feeling like the use of lifecycle events vocabulary in AuditEvent.entity is wrong, while it is still very appropriate that a lifecycle event vocabulary is useful as trigger events and thus AuditEvent.subtype. Today they are in both places.

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -