FHIR Chat · AuditEvent testing at FHIR-Connectathon · Security and Privacy

Stream: Security and Privacy

Topic: AuditEvent testing at FHIR-Connectathon

John Moehrke (Apr 16 2021 at 15:16):

Is anyone interested in testing AuditEvent at the upcoming FHIR-Connectathon?

David Pyke (Apr 16 2021 at 16:59):

Is there a specific track?

John Moehrke (Apr 16 2021 at 18:08):

if there was interest.. I would create a track. but to create a track and twiddle my thumbs alone, I can do without creating a track.

David Pyke (Apr 16 2021 at 18:26):

I know SANER has audit, there may be others with AuditEvent in them. Might be better to coordinate there.

John Moehrke (Apr 16 2021 at 18:33):

Yes, i know I put AuditEvent into SANER... but does anyone do it? What other IG have AuditEvent in them? Do we have any tooling to test for compliance?

John Moehrke (Apr 16 2021 at 18:35):

I would like to test my IG -- http://build.fhir.org/ig/JohnMoehrke/BasicAudit/branches/main/index.html

Mohammad Jafari (Apr 28 2021 at 16:20):

@John Moehrke we have used AuditEvent for recording consent decisions in LEAP. If there is a track we'd like to participate.

John Moehrke (Apr 28 2021 at 18:55):

I think it is going to be an adhoc track. Those that are recording can share what they are doing. Those that are using AuditEvent can show what they are doing with them.

John Moehrke (May 11 2021 at 12:08):

@Mohammad Jafari I would like to watch your AuditEvents at this connectathon. What FHIR Server are you creating them in?

Mohammad Jafari (May 11 2021 at 18:27):

The part of the code that does this is here:
https://github.com/sdhealthconnect/leap-cds/blob/master/lib/audit.js

The resource template is here:
https://github.com/sdhealthconnect/leap-cds/blob/master/template-resources/audit-event.json

Our server:
http://34.94.253.50:8080/hapi-fhir-jpaserver/fhir/AuditEvent

Here is a sample of an AuditEvent resource generated by the LEAP Consent Decision service:

{
  "resourceType": "AuditEvent",
  "id": "12066",
  "meta": {
    "versionId": "1",
    "lastUpdated": "2021-05-06T21:00:04.957+00:00",
    "source": "#Z8ZJT1GCH9gdHlj7"
  },
  "type": {
    "system": "http://hl7.org/fhir/ValueSet/audit-event-type",
    "code": "110112",
    "display": "Query"
  },
  "action": "E",
  "recorded": "2021-05-06T21:00:04.156Z",
  "outcome": "0",
  "outcomeDesc": "CONSENT_PERMIT",
  "agent": [
    {
      "type": {
        "coding": [
          {
            "system": "http://dicom.nema.org/resources/ontology/DCM",
            "code": "110152",
            "display": "Destination Role ID"
          }
        ]
      },
      "who": {
        "identifier": {
          "system": "urn:ietf:rfc:3986",
          "value": "urn:oid:1.1"
        }
      },
      "requestor": true,
      "purposeOfUse": [
        {
          "coding": [
            {
              "system": "http://terminology.hl7.org/ValueSet/v3-PurposeOfUse",
              "code": "TREAT"
            }
          ]
        }
      ]
    }
  ],
  "source": {
    "observer": {
      "display": "LEAP Consent Decision Service"
    },
    "type": [
      {
        "system": "http://terminology.hl7.org/CodeSystem/security-source-type",
        "code": "4",
        "display": "Application Server"
      }
    ]
  },
  "entity": [
    {
      "what": {
        "reference": "Patient/104",
        "display": "Younger,Gallow"
      },
      "type": {
        "system": "http://terminology.hl7.org/CodeSystem/audit-entity-type",
        "code": "1",
        "display": "Person"
      },
      "role": {
        "system": "http://terminology.hl7.org/CodeSystem/object-role",
        "code": "1",
        "display": "Patient"
      }
    },
    {
      "what": {
        "reference": "Consent/105"
      },
      "type": {
        "system": "http://terminology.hl7.org/CodeSystem/audit-entity-type",
        "code": "2",
        "display": "System Object"
      },
      "role": {
        "system": "http://terminology.hl7.org/CodeSystem/object-role",
        "code": "4",
        "display": "Domain Resource"
      }
    }
  ]
}

John Moehrke (May 12 2021 at 19:23):

That is an AuditEvent recording that a Query happened. Which is likely true that the access control decision did pull in the Consent.

John Moehrke (May 12 2021 at 19:23):

But I was expecting an AuditEvent indicating that a decision was made.

John Moehrke (May 12 2021 at 19:26):

so the .type would not be Query. The .type would be something like "AccessDecision"... likely a code you would need to define in your IG...

John Moehrke (May 12 2021 at 19:27):

note as a Query type AuditEvent, you are expected to have an entity with the .query populated.

John Moehrke (May 12 2021 at 19:54):

note that the reason the vocabulary for .type does not include "access control decision" is that we kind of expected that to be something done in general IT security, and thus not something healthcare specific. But this is why the .type is extensible

John Moehrke (May 12 2021 at 19:56):

ah, that leads me to think that with a AuditEvent.type of access control decision... then the .entity would be the various "access control information", thus the Consent. so the role of the .entity pointing at the consent is ACI.. as would also be the user identity, the system identiy, the purpose of use, the target of the access control request scope.

Mohammad Jafari (May 13 2021 at 21:36):

Thanks John. These are interesting points. I do agree that Query is not the most accurate type but I also don't think it's the job of a consent engine profile to define a broad value like AccessDecision; maybe it makes sense to define a ConsentDecision though.
I do think that AccessDecision is probably one of the most common use-cases for Audit and should be added to core.

John Moehrke (May 17 2021 at 17:09):

checkout whova. I have added a meet-ups for AuditEvent tuesday 12pm GMT

John Moehrke (May 17 2021 at 22:00):

Some minor updates on my prototype IG for basic audit - enhancing logging of search, specifically POST based search http://build.fhir.org/ig/JohnMoehrke/BasicAudit/branches/main/index.html

John Moehrke (May 18 2021 at 11:42):

Those at Connectathon... coming up in 20 minutes is the AuditEvent meet-up.

John Moehrke (May 18 2021 at 12:17):

@Mohammad Jafari are you actively recording AuditEvent resources this week? I don't see anything new in the server you indicated.

John Moehrke (May 18 2021 at 12:39):

Heard from a little bird that FireLy does support automatic audit logging... if configured... wish I knew how to get a FireLy server at FHIR-Connectathon to turn this on... I would like to work on aligning FireLy and my auditEvent IG. https://docs.fire.ly/firelyserver/features/auditing.html

Alexander Zautke (May 18 2021 at 12:44):

@John Moehrke You can do a GET on https://server.fire.ly/AuditEvent to see AuditEvents that we generate by default. Every request is logged in the default configuration.

Alexander Zautke (May 18 2021 at 12:45):

Let me know if you have any questions, happy to do a short breakout session on the topic to discuss if we should structure the AuditEvents differently

John Moehrke (May 18 2021 at 12:46):

excellent. Yes I would like to work with you on this.

John Moehrke (May 18 2021 at 12:47):

is there a way to turn on this audit logging on a server being used at connecathon?

Alexander Zautke (May 18 2021 at 12:49):

There is not dedicated connectathon server, it's just this instance.

John Moehrke (May 18 2021 at 12:50):

so.. is that a yes?

Alexander Zautke (May 18 2021 at 12:50):

Ah sorry, yes, it should work

John Moehrke (May 18 2021 at 12:51):

so the server.fhir.ly?

Alexander Zautke (May 18 2021 at 12:51):

yes, every request to it should create a new AuditEvent

John Moehrke (May 18 2021 at 12:51):

excellent

John Moehrke (May 18 2021 at 12:52):

Alexander Zautke said:

John Moehrke You can do a GET on https://server.fire.ly/AuditEvent to see AuditEvents that we generate by default. Every request is logged in the default configuration.

my mistake... I read this as :Every request is not logged in the default configuration

John Moehrke (May 18 2021 at 12:53):

I (as security co-chair) am surprised to find audit logging turned on by default... happy surprise.

John Moehrke (May 18 2021 at 13:00):

I am thinking of scheduling another meet-up in the FHIR-Connectathon whova. Any timeslot I should chose?

Alexander Zautke (May 18 2021 at 13:02):

I'm blocked between 3PM (UTC) until 4PM (UTC), feel free to choose anything else

John Moehrke (May 18 2021 at 13:04):

I was thinking of noon UTC again

John Moehrke (May 18 2021 at 13:04):

or 11am UTC?

Alexander Zautke (May 18 2021 at 13:05):

11 AM UTC tomorrow sounds good

Mohammad Jafari (May 18 2021 at 16:17):

@John Moehrke
We do create an AuditEvent per permit/deny decision. I know @Duane Decouteau has been demoing LEAP so there must be new AuditEvents. We will look into this more.

John Moehrke (May 18 2021 at 16:20):

right. now I see 400+

John Moehrke (May 18 2021 at 16:36):

I have added a meet-up wednesday morning at 11am UTC.

John Moehrke (May 18 2021 at 16:37):

find it in whova under Community Meet-ups

Duane Decouteau (May 18 2021 at 17:45):

@John Moehrke @Mohammad Jafari Today we covered consent creation, revocation, reinstatement, etc. During the demo's tomorrow 1pm GMT we are covering enforcement of patitent-privacy, adr, treatment, research. You'll see new CDS AuditEvents then.

Last updated: Apr 12 2022 at 19:14 UTC