DSTU2 QA Preview
This page is part of the FHIR Specification (v1.0.0: DSTU 2 Ballot 3). The current version which supercedes this version is 5.0.0. For a full list of available versions, see the Directory of published versions 
. Page versions: R5 R4B R4 R3 R2
| Security Work Group | Maturity Level: 2 | Compartments: Device, Patient, Practitioner |
A record of an event made for purposes of maintaining a security log. Typical uses include detection of intrusion attempts and monitoring for inappropriate usage.
The audit event is based on the IHE-ATNA Audit record definitions, originally from RFC 3881 , and now managed by
DICOM (see DICOM Part 15 Annex A5 ).
This resource is managed collaboratively between HL7, DICOM, and IHE.
The primary purpose of this resource is the maintenance of security audit log information. However, it can also be used for any audit logging needs and simple event-based notification.
Servers that provide support for Audit Event resources would not generally accept update or delete operations on the resources, as this would compromise the integrity of the audit record. Access of the AuditEvent would typically be limited to Security office, Privacy office, or other Systems Administration purposes. The AuditEvent is not intended to be used directly by Providers or Patients, although reports generated from the raw data would be useful. An example is a Patient centric Accounting of Disclosures or an Access Report.
All actors involved in an auditable event should record an AuditEvent (See Audit Event Sub-Type vocabulary for guidance on some security relevant events). This would result in duplicate AuditEvent entries which show the properly working system of systems. Thus it is typical to get an auditable event recorded by both the application, and server. I this way duplicate entries are expected, this is helpful because detecting when only one actor records that an auditable event is an indication of a security problem. There may be non-participaing actors that also detect a security relevant event and thus would record an AuditEvent, such as a trusted intermediary.
Security Relevant events are not limited to communications or RESTful events. They include software startup and shutdown; user login and logout; access control decisions; configuration events; software installation; policy rules changes; and manipulation of data that exposes the data to users.
Audit Event resources are often (though not exclusively) created by the application responding to the create/read/query/update/delete/execute etc. event. A Provenance resource contains overlapping information, but is a record-keeping assertion that gathers information about the context in which the information in a resource was obtained. Provenance resources are prepared by the application that initiates the create/update of the resource.
Structure
| Name | Flags | Card. | Type | Description & Constraints |
|---|---|---|---|---|
  AuditEvent | DomainResource | Event record kept for security purposes | ||
  event | 1..1 | BackboneElement | What was done | |
  type | Σ | 1..1 | Coding | Type/identifier of event Audit Event ID (Extensible) |
| subtype | Σ | 0..* | Coding | More specific type/id for the event Audit Event Sub-Type (Extensible) |
 action | Σ | 0..1 | code | Type of action performed during the event AuditEventAction (Required) |
| dateTime | Σ | 1..1 | instant | Time when the event occurred on source |
| outcome | Σ | 0..1 | code | Whether the event succeeded or failed AuditEventOutcome (Required) |
| outcomeDesc | Σ | 0..1 | string | Description of the event outcome |
 purposeOfEvent | Σ | 0..* | Coding | The purposeOfUse of the event PurposeOfUse (Extensible) |
| participant | 1..* | BackboneElement | A person, a hardware device or software process | |
| role | 0..* | CodeableConcept | User roles (e.g. local RBAC codes) Audit Active Participant Role ID Code (Extensible) | |
 reference | Σ | 0..1 | Reference(Practitioner | Organization | Device | Patient | RelatedPerson) | Direct reference to resource |
| userId | Σ | 0..1 | Identifier | Unique identifier for the user |
| altId | 0..1 | string | Alternative User id e.g. authentication | |
| name | 0..1 | string | Human-meaningful name for the user | |
| requestor | 1..1 | boolean | Whether user is initiator | |
| location | 0..1 | Reference(Location) | Where | |
| policy | 0..* | uri | Policy that authorized event | |
| media | 0..1 | Coding | Type of media Media Type Code (Extensible) | |
| network | 0..1 | BackboneElement | Logical network location for application activity | |
| address | 0..1 | string | Identifier for the network access point of the user device | |
| type | 0..1 | code | The type of network access point AuditEventParticipantNetworkType (Required) | |
| purposeOfUse | 0..* | Coding | Reason given for this user PurposeOfUse (Extensible) | |
| source | 1..1 | BackboneElement | Application systems and processes | |
| site | 0..1 | string | Logical source location within the enterprise | |
| identifier | Σ | 1..1 | Identifier | The identity of source detecting the event |
| type | 0..* | Coding | The type of source where event originated Audit Event Source Type (Extensible) | |
| object | I | 0..* | BackboneElement | Specific instances of data or objects that have been accessed Either a name or a query (NOT both) |
 identifier | Σ | 0..1 | Identifier | Specific instance of object (e.g. versioned) |
| reference | Σ | 0..1 | Reference(Any) | Specific instance of resource (e.g. versioned) |
| type | 0..1 | Coding | Type of object involved AuditEventObjectType (Extensible) | |
| role | 0..1 | Coding | What role the Object played AuditEventObjectRole (Extensible) | |
| lifecycle | 0..1 | Coding | Life-cycle stage for the object AuditEventObjectLifecycle (Extensible) | |
| securityLabel | 0..* | Coding | Security labels applied to the object All Security Labels (Extensible) | |
| name | Σ I | 0..1 | string | Instance-specific descriptor for Object |
| description | 0..1 | string | Descriptive text | |
| query | Σ I | 0..1 | base64Binary | Actual query for object |
| detail | 0..* | BackboneElement | Additional Information about the Object | |
| type | 1..1 | string | Name of the property | |
| value | 1..1 | base64Binary | Property value | |
| Documentation for this format | ||||
UML Diagram
XML Template
<AuditEvent xmlns="http://hl7.org/fhir"><!-- from Resource: id, meta, implicitRules, and language --> <!-- from DomainResource: text, contained, extension, and modifierExtension --> <event> <!-- 1..1 What was done --> <type><!-- 1..1 Coding Type/identifier of event --></type> <subtype><!-- 0..* Coding More specific type/id for the event --></subtype> <action value="[code]"/><!-- 0..1 Type of action performed during the event --> <dateTime value="[instant]"/><!-- 1..1 Time when the event occurred on source --> <outcome value="[code]"/><!-- 0..1 Whether the event succeeded or failed --> <outcomeDesc value="[string]"/><!-- 0..1 Description of the event outcome --> <purposeOfEvent><!-- 0..* Coding The purposeOfUse of the event --></purposeOfEvent> </event> <participant> <!-- 1..* A person, a hardware device or software process --> <role><!-- 0..* CodeableConcept User roles (e.g. local RBAC codes) --></role> <reference><!-- 0..1 Reference(Practitioner|Organization|Device|Patient| RelatedPerson) Direct reference to resource --></reference> <userId><!-- 0..1 Identifier Unique identifier for the user --></userId> <altId value="[string]"/><!-- 0..1 Alternative User id e.g. authentication --> <name value="[string]"/><!-- 0..1 Human-meaningful name for the user --> <requestor value="[boolean]"/><!-- 1..1 Whether user is initiator --> <location><!-- 0..1 Reference(Location) Where --></location> <policy value="[uri]"/><!-- 0..* Policy that authorized event --> <media><!-- 0..1 Coding Type of media --></media> <network> <!-- 0..1 Logical network location for application activity --> <address value="[string]"/><!-- 0..1 Identifier for the network access point of the user device --> <type value="[code]"/><!-- 0..1 The type of network access point --> </network> <purposeOfUse><!-- 0..* Coding Reason given for this user --></purposeOfUse> </participant> <source> <!-- 1..1 Application systems and processes --> <site value="[string]"/><!-- 0..1 Logical source location within the enterprise --> <identifier><!-- 1..1 Identifier The identity of source detecting the event --></identifier> <type><!-- 0..* Coding The type of source where event originated --></type> </source> <object> <!-- 0..* Specific instances of data or objects that have been accessed --> <identifier><!-- 0..1 Identifier Specific instance of object (e.g. versioned) --></identifier> <reference><!-- 0..1 Reference(Any) Specific instance of resource (e.g. versioned) --></reference> <type><!-- 0..1 Coding Type of object involved --></type> <role><!-- 0..1 Coding What role the Object played --></role> <lifecycle><!-- 0..1 Coding Life-cycle stage for the object --></lifecycle> <securityLabel><!-- 0..* Coding Security labels applied to the object --></securityLabel> <name value="[string]"/><!--
0..1 Instance-specific descriptor for Object --> <description value="[string]"/><!-- 0..1 Descriptive text --> <query value="[base64Binary]"/><!--
JSON Template
{
"resourceType" : "AuditEvent",
// from Resource: id, meta, implicitRules, and language
// from DomainResource: text, contained, extension, and modifierExtension
"event" : { // R! What was done
"type" : { Coding }, // R! Type/identifier of event
"subtype" : [{ Coding }], // More specific type/id for the event
"action" : "<code>", // Type of action performed during the event
"dateTime" : "<instant>", // R! Time when the event occurred on source
"outcome" : "<code>", // Whether the event succeeded or failed
"outcomeDesc" : "<string>", // Description of the event outcome
"purposeOfEvent" : [{ Coding }] // The purposeOfUse of the event
},
"participant" : [{ // R! A person, a hardware device or software process
"role" : [{ CodeableConcept }], // User roles (e.g. local RBAC codes)
"reference" : { Reference(Practitioner|Organization|Device|Patient|
RelatedPerson) }, // Direct reference to resource
"userId" : { Identifier }, // Unique identifier for the user
"altId" : "<string>", // Alternative User id e.g. authentication
"name" : "<string>", // Human-meaningful name for the user
"requestor" : <boolean>, // R! Whether user is initiator
"location" : { Reference(Location) }, // Where
"policy" : ["<uri>"], // Policy that authorized event
"media" : { Coding }, // Type of media
"network" : { // Logical network location for application activity
"address" : "<string>", // Identifier for the network access point of the user device
"type" : "<code>" // The type of network access point
},
"purposeOfUse" : [{ Coding }] // Reason given for this user
}],
"source" : { // R! Application systems and processes
"site" : "<string>", // Logical source location within the enterprise
"identifier" : { Identifier }, // R! The identity of source detecting the event
"type" : [{ Coding }] // The type of source where event originated
},
"object" : [{ // Specific instances of data or objects that have been accessed
"identifier" : { Identifier }, // Specific instance of object (e.g. versioned)
"reference" : { Reference(Any) }, // Specific instance of resource (e.g. versioned)
"type" : { Coding }, // Type of object involved
"role" : { Coding }, // What role the Object played
"lifecycle" : { Coding }, // Life-cycle stage for the object
"securityLabel" : [{ Coding }], // Security labels applied to the object
"name" : "<string>", // C? Instance-specific descriptor for Object
"description" : "<string>", // Descriptive text
"query" : "<base64Binary>", // C? Actual query for object
"detail" : [{ // Additional Information about the Object
"type" : "<string>", // R! Name of the property
"value" : "<base64Binary>" // R! Property value
}]
}]
}
Structure
| Name | Flags | Card. | Type | Description & Constraints |
|---|---|---|---|---|
| AuditEvent | DomainResource | Event record kept for security purposes | ||
| event | 1..1 | BackboneElement | What was done | |
| type | Σ | 1..1 | Coding | Type/identifier of event Audit Event ID (Extensible) |
| subtype | Σ | 0..* | Coding | More specific type/id for the event Audit Event Sub-Type (Extensible) |
| action | Σ | 0..1 | code | Type of action performed during the event AuditEventAction (Required) |
| dateTime | Σ | 1..1 | instant | Time when the event occurred on source |
| outcome | Σ | 0..1 | code | Whether the event succeeded or failed AuditEventOutcome (Required) |
| outcomeDesc | Σ | 0..1 | string | Description of the event outcome |
| purposeOfEvent | Σ | 0..* | Coding | The purposeOfUse of the event PurposeOfUse (Extensible) |
| participant | 1..* | BackboneElement | A person, a hardware device or software process | |
| role | 0..* | CodeableConcept | User roles (e.g. local RBAC codes) Audit Active Participant Role ID Code (Extensible) | |
| reference | Σ | 0..1 | Reference(Practitioner | Organization | Device | Patient | RelatedPerson) | Direct reference to resource |
| userId | Σ | 0..1 | Identifier | Unique identifier for the user |
| altId | 0..1 | string | Alternative User id e.g. authentication | |
| name | 0..1 | string | Human-meaningful name for the user | |
| requestor | 1..1 | boolean | Whether user is initiator | |
| location | 0..1 | Reference(Location) | Where | |
| policy | 0..* | uri | Policy that authorized event | |
| media | 0..1 | Coding | Type of media Media Type Code (Extensible) | |
| network | 0..1 | BackboneElement | Logical network location for application activity | |
| address | 0..1 | string | Identifier for the network access point of the user device | |
| type | 0..1 | code | The type of network access point AuditEventParticipantNetworkType (Required) | |
| purposeOfUse | 0..* | Coding | Reason given for this user PurposeOfUse (Extensible) | |
| source | 1..1 | BackboneElement | Application systems and processes | |
| site | 0..1 | string | Logical source location within the enterprise | |
| identifier | Σ | 1..1 | Identifier | The identity of source detecting the event |
| type | 0..* | Coding | The type of source where event originated Audit Event Source Type (Extensible) | |
| object | I | 0..* | BackboneElement | Specific instances of data or objects that have been accessed Either a name or a query (NOT both) |
| identifier | Σ | 0..1 | Identifier | Specific instance of object (e.g. versioned) |
| reference | Σ | 0..1 | Reference(Any) | Specific instance of resource (e.g. versioned) |
| type | 0..1 | Coding | Type of object involved AuditEventObjectType (Extensible) | |
| role | 0..1 | Coding | What role the Object played AuditEventObjectRole (Extensible) | |
| lifecycle | 0..1 | Coding | Life-cycle stage for the object AuditEventObjectLifecycle (Extensible) | |
| securityLabel | 0..* | Coding | Security labels applied to the object All Security Labels (Extensible) | |
| name | Σ I | 0..1 | string | Instance-specific descriptor for Object |
| description | 0..1 | string | Descriptive text | |
| query | Σ I | 0..1 | base64Binary | Actual query for object |
| detail | 0..* | BackboneElement | Additional Information about the Object | |
| type | 1..1 | string | Name of the property | |
| value | 1..1 | base64Binary | Property value | |
| Documentation for this format | ||||
XML Template
<AuditEvent xmlns="http://hl7.org/fhir">
JSON Template
{
"resourceType" : "AuditEvent",
// from Resource: id, meta, implicitRules, and language
// from DomainResource: text, contained, extension, and modifierExtension
"event" : { // R! What was done
"type" : { Coding }, // R! Type/identifier of event
"subtype" : [{ Coding }], // More specific type/id for the event
"action" : "<code>", // Type of action performed during the event
"dateTime" : "<instant>", // R! Time when the event occurred on source
"outcome" : "<code>", // Whether the event succeeded or failed
"outcomeDesc" : "<string>", // Description of the event outcome
"purposeOfEvent" : [{ Coding }] // The purposeOfUse of the event
},
"participant" : [{ // R! A person, a hardware device or software process
"role" : [{ CodeableConcept }], // User roles (e.g. local RBAC codes)
"reference" : { Reference(Practitioner|Organization|Device|Patient|
RelatedPerson) }, // Direct reference to resource
"userId" : { Identifier }, // Unique identifier for the user
"altId" : "<string>", // Alternative User id e.g. authentication
"name" : "<string>", // Human-meaningful name for the user
"requestor" : <boolean>, // R! Whether user is initiator
"location" : { Reference(Location) }, // Where
"policy" : ["<uri>"], // Policy that authorized event
"media" : { Coding }, // Type of media
"network" : { // Logical network location for application activity
"address" : "<string>", // Identifier for the network access point of the user device
"type" : "<code>" // The type of network access point
},
"purposeOfUse" : [{ Coding }] // Reason given for this user
}],
"source" : { // R! Application systems and processes
"site" : "<string>", // Logical source location within the enterprise
"identifier" : { Identifier }, // R! The identity of source detecting the event
"type" : [{ Coding }] // The type of source where event originated
},
"object" : [{ // Specific instances of data or objects that have been accessed
"identifier" : { Identifier }, // Specific instance of object (e.g. versioned)
"reference" : { Reference(Any) }, // Specific instance of resource (e.g. versioned)
"type" : { Coding }, // Type of object involved
"role" : { Coding }, // What role the Object played
"lifecycle" : { Coding }, // Life-cycle stage for the object
"securityLabel" : [{ Coding }], // Security labels applied to the object
"name" : "<string>", // C? Instance-specific descriptor for Object
"description" : "<string>", // Descriptive text
"query" : "<base64Binary>", // C? Actual query for object
"detail" : [{ // Additional Information about the Object
"type" : "<string>", // R! Name of the property
"value" : "<base64Binary>" // R! Property value
}]
}]
}
Alternate definitions: Schema/Schematron, Resource Profile (XML, JSON), Questionnaire
| Path | Definition | Type | Reference |
|---|---|---|---|
| AuditEvent.event.type | Type of event | Extensible | Audit Event ID |
| AuditEvent.event.subtype | Sub-type of event | Extensible | Audit Event Sub-Type |
| AuditEvent.event.action | Indicator for type of action performed during the event that generated the audit. | Required | AuditEventAction |
| AuditEvent.event.outcome | Indicates whether the event succeeded or failed | Required | AuditEventOutcome |
| AuditEvent.event.purposeOfEvent AuditEvent.participant.purposeOfUse | The reason the activity took place | Extensible | PurposeOfUse |
| AuditEvent.participant.role | Role(s) the user plays (from RBAC) | Extensible | Audit Active Participant Role ID Code |
| AuditEvent.participant.media | Used when the event is about exporting/importing onto media | Extensible | Media Type Code |
| AuditEvent.participant.network.type | The type of network access point of this participant in the audit event | Required | AuditEventParticipantNetworkType |
| AuditEvent.source.type | Code specifying the type of system that detected and recorded the event | Extensible | Audit Event Source Type |
| AuditEvent.object.type | Code for the object type involved audited | Extensible | AuditEventObjectType |
| AuditEvent.object.role | Code representing the role the Object played in the event | Extensible | AuditEventObjectRole |
| AuditEvent.object.lifecycle | Identifier for the data life-cycle stage for the object | Extensible | AuditEventObjectLifecycle |
| AuditEvent.object.securityLabel | Security Labels from the Healthcare Privacy and Security Classification System | Extensible | All Security Labels |
The audit event resource and the ATNA Audit record are used in many contexts through healthcare. The coded values defined in the "extensible" bindings above are those widely used and/or defined by DICOM, IHE or ISO, who all defined these codes to meet very specific use cases. These codes should be used when the are suitable, or other codes can be defined.
The set of codes defined for this resource are expected to grow over time, and additional codes may be proposed / requested using the community input link above.
This table summarizes common event scenarios, and the codes that should be used for each case.
| Scenario | type | subtype | action | Other |
| User Login (example) | 110114 User Authentication | 110122 User Authentication | E Execute | One participant which contains the details of the logged in user |
| User Logout (example) | 110114 User Authentication | 110123 User Logout | E Execute | One participant which contains the details of the logged out user |
| REST operation logged on server (example) | rest RESTful Operation | [code] defined for operation | * (see below) | Participant for logged in user, if available, and one object with a reference if at least the type is known as part of the operation. Reference.url should be provided to the granularity known |
| Search operation logged on server (example) | rest RESTful Operation | [code] defined for operation | E Execute | Participant for logged in user, if available, and one object with a query element. |
Audit Event Actions for RESTful operations:
| Operation | Action |
| create | C |
| read, vread, history-instance, history-type, history-system | R |
| update | U |
| delete | D |
| transaction, operation, conformance, validate, search, search-type, search-system | E |
Search parameters for this resource. The common parameters also apply. See Searching for more information about searching in REST, messaging, and services.
| Name | Type | Description | Paths |
| action | token | Type of action performed during the event | AuditEvent.event.action |
| address | token | Identifier for the network access point of the user device | AuditEvent.participant.network.address |
| altid | token | Alternative User id e.g. authentication | AuditEvent.participant.altId |
| date | date | Time when the event occurred on source | AuditEvent.event.dateTime |
| desc | string | Instance-specific descriptor for Object | AuditEvent.object.name |
| identity | token | Specific instance of object (e.g. versioned) | AuditEvent.object.identifier |
| name | string | Human-meaningful name for the user | AuditEvent.participant.name |
| object-type | token | Type of object involved | AuditEvent.object.type |
| participant | reference | Direct reference to resource | AuditEvent.participant.reference (Device, Patient, Organization, Practitioner, RelatedPerson) |
| patient | reference | Direct reference to resource | AuditEvent.participant.reference, AuditEvent.object.reference (Patient) |
| policy | uri | Policy that authorized event | AuditEvent.participant.policy |
| reference | reference | Specific instance of resource (e.g. versioned) | AuditEvent.object.reference (Any) |
| site | token | Logical source location within the enterprise | AuditEvent.source.site |
| source | token | The identity of source detecting the event | AuditEvent.source.identifier |
| subtype | token | More specific type/id for the event | AuditEvent.event.subtype |
| type | token | Type/identifier of event | AuditEvent.event.type |
| user | token | Unique identifier for the user | AuditEvent.participant.userId |
© HL7.org 2011+. FHIR DSTU2 (v1.0.0-6850) generated on Tue, Sep 1, 2015 14:41+1000.
Links: What's a DSTU? |
Version History |
Table of Contents |
Compare to DSTU1 |
|
Propose a change