FHIR Chat · Audit Logging and Trail · CARIN IG for Blue Button®

Stream: CARIN IG for Blue Button®

Topic: Audit Logging and Trail

view this post on Zulip Joel Hansen (Aetna) (Jun 09 2020 at 21:08):

We are working on audit logging and audit trail. We are trying to figure out how much history to track in our auditlog. We started at 1 year of history, but it seems like that might not be enough. Just checking to see what others are planning and if anyone has any idea how far back CMS might go during an Audit.

view this post on Zulip John Moehrke (Jun 10 2020 at 12:23):

yes it is common for audit logs to be maintained for a short period of time, just long enough for all the expected analysis to be done. This analysis is usually driven by business needs, and regulations including local regulations. The timeframe is also recognizing that these analysis is also not usually a priority task so often gets delayed. The typical is to copy the logs to offline media when purging from real-time database access, to cover the exceptions. Further, the purging is often done using different timeframes per the kind of audit log entry. For example, because HIPAA requires an accounting of disclosures back 7 years, this often drives EXPORT type audit events to be preserved for 7 years while other events are purged at 1 year (alternatively these potential disclosure events are moved into a purpose specific system or report) --- so the answer is going to vary greatly, and be more based on local regulations and speed at which analysis can be done.

view this post on Zulip John Moehrke (Jun 10 2020 at 12:24):

see http://build.fhir.org/secpriv-module.html#audit

view this post on Zulip John Moehrke (Jun 10 2020 at 12:25):

I welcome recommendations for improving the text in the spec, so if you get good advice, please recommend it with a change request.

view this post on Zulip Ryan Harrison (Jun 12 2020 at 23:01):

It seems like AuditEvent was intended for use with req/res within a FHIR server, i.e. you'd query AuditEvents just like any other FHIR resource. Thoughts on publishing AuditEvent to a logstream? So the AuditEvents are not maintained (or queryable) by the FHIR server proper; but rather, downstream of the logstream, e.g. your SIEM tool.

https://chat.fhir.org/#narrow/stream/179247-Security-and.20Privacy/topic/HL7.20v2.20MITM/near/196130176
Seems to suggest pick your poison?

view this post on Zulip John Moehrke (Jun 13 2020 at 12:39):

yes you can do that, and I know of implementations that have. Thus they really are just using the json encoding of AuditEvent to provide a structure to their logstream. Doesn't mean that you can't add a FHIR compliant query supporting only AuditEvent on your audit log server

view this post on Zulip John Moehrke (Jun 13 2020 at 12:41):

In fact the basis for AuditEvent, being the IHE-ATNA profile, does use syslog as the transport.

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -