I am currently implementing the AuditEvent resource in our system. The system stores data that is exchanged between practitioners and patients and its data is consumed through a web application and an app.
The goal of the audit log is to be able to reconstruct every change being made to the data as well as to record every request for data. I would like to hear your input to my questions and the proposed solution in order to figure out if I’m on the right track at all.
-
Accounting for the fact that other software may access our system through the FHIR interface, I believe that audit events should only be generated by the server system which only exposes Read, Search and Versioned Read access to the audit log.
- I assume that this is the correct way of doing things.
-
Given that audit events are only generated by the server, this limits the amount of information available when creating an audit event. There is no way of dynamically setting
AuditEvent.agent.type
,AuditEvent.agent.role
, etc. as this information can not be supplied to the server through the standard FHIR interface. Similar restrictions apply to theAuditEvent.purposeOfEvent
andAuditEvent.entity
.- My current approach is to only record
who
,name
,requestor
(always true),policy
(OAuth token) andnetwork
for the agent. Does this make sense at all? Or should we try to tie users to certain roles for example?
- My current approach is to only record
-
In case that we should allow clients to supply custom audit events, there is still a lot of user input required in terms of
AuditEvent.agent
andAuditEvent.entity
.- Is there any guidance on the level of detail that should be provided in the audit log? Asking the user why he or she is requesting information may be cumbersome but acceptable for a practitioner but certainly not suitable for a patient or a related person.
-
We consider using
AuditEvent.source.site
to store the current data center in a distributed server environment.- Is AuditEvent.source.site a suitable place for this type of information? Should we model each instance of the application as a device and track it as the observer in
AuditEvent.source.observer
?
- Is AuditEvent.source.site a suitable place for this type of information? Should we model each instance of the application as a device and track it as the observer in
-
The last question is around
AuditEvent.entity.securityLabel
. Again, this information can not be inferred from the server. Plus, even if it could be supplied by the client, it would need to be set by the user.- How should this field be used in general? Some observation codes for example could be statically mapped to different security labels, but I doubt this is the correct way. For other resources it may not be possible to provide static security labels. Again, it is very tedious for a practitioner to correctly label each event and certainly too error prone to without a significant reduction in the number of labels being used. Patients themselves can clearly not be bothered by making this assessment.
I hope it’s fine that I collected all of these questions in one point. I’ll be happy to split it up though or to restructure it in order to make the answers more helpful for others that stumble upon some of them in the future.