Connectathon 11 Snapshot

This page is part of the FHIR Specification (v1.2.0: STU 3 Draft). The current version which supercedes this version is 5.0.0. For a full list of available versions, see the Directory of published versions . Page versions: R5 R4B R4 R3 R2

6.5 Resource AuditEvent - Content

Security Work GroupMaturity Level: 2Compartments: Device, Patient, Practitioner

A record of an event made for purposes of maintaining a security log. Typical uses include detection of intrusion attempts and monitoring for inappropriate usage.

6.5.1 Scope and Usage

The audit event is based on the IHE-ATNA Audit record definitions, originally from RFC 3881 , and now managed by DICOM (see DICOM Part 15 Annex A5 ).

  • ASTM E2147 – Setup the concept of security audit logs for healthcare including accounting of disclosures
  • IETF RFC 3881 – Defined the Information Model (IETF rule forced this to be informative)
  • DICOM Audit Log Message – Made the information model Normative, defined Vocabulary, Transport Binding, and Schema
  • IHE ATNA – Defines the grouping with secure transport and access controls; and defined specific audit log records for specific IHE transactions.
  • NIST SP800-92 – Shows how to do audit log management and reporting – consistent with our model
  • HL7 PASS – Defined an Audit Service with responsibilities and a query interface for reporting use
  • ISO 27789 – Defined the subset of audit events that an EHR would need

This resource is managed collaboratively between HL7, DICOM, and IHE.

The primary purpose of this resource is the maintenance of security audit log information. However, it can also be used for any audit logging needs and simple event-based notification.

6.5.2 Background and Context

All actors; such as applications, processes, and services; involved in an auditable event should record an AuditEvent. This will likely result in multiple AuditEvent entries that show whether privacy and security safeguards, such as access control, are the properly functioning across an enterprise's system-of-systems. Thus it is typical to get an auditable event recorded by both the application in a workflow process, and the servers that support them. For this reason, duplicate entries are expected, which is helpful because it may aid in the detecting of, for example, fewer than expected actors being recorded in a multi-actor process or attributes related to those records being in conflict, which is an indication of a security problem. There may be non-participating actors that also detect a security relevant event and thus would record an AuditEvent, such as a trusted intermediary.

Security relevant events are not limited to communications or RESTful events. They include software startup and shutdown; user login and logout; access control decisions; configuration events; software installation; policy rules changes; and manipulation of data that exposes the data to users. See Audit Event Sub-Type vocabulary for guidance on some security relevant events.

The content of an AuditEvent is intended for use by Security System Administrators, Security and Privacy Information Managers, and Records Management personnel. This content is not intended to be accessible or used directly by other healthcare users, such as Providers or Patients, although reports generated from the raw data would be useful. An example is a Patient centric Accounting of Disclosures or an Access Report. Servers that provide support for Audit Event resources would not generally accept update or delete operations on the resources, as this would compromise the integrity of the audit record. Access of the AuditEvent would typically be limited to e.g., security, privacy, or other system administration purposes.

Relationship of AuditEvent and Provenance resources are often (though not exclusively) created by the application responding to the create/read/query/update/delete/execute etc. event. A Provenance resource resource contains overlapping information, but is a record-keeping assertion that gathers information about the context in which the information in a resource "came to be" in its current state, e.g., whether it was created de novo or obtained from another entity in whole, part, or by transformation. Provenance resources are prepared by the application that initiates the create/update of the resource, and may be persisted with the AuditEvent target resource.

6.5.2.1 Open Issues and Request for Comments

The AuditEvent Resource, like many of the FHIR Resources in DSTU, continues to be developed by the sponsoring HL7 Security Work Group. In particular, the Security WG continues to focus on refining the value sets used by both AuditEvent and its closely related Provenance Resource to ensure complete coverage of system and end user actions and action reasons that impact security objects (data, processes, applications, servers, etc.) The Security WG is particularly interested in implementer feedback on these focus areas, and at the same time cautions implementers to undertake due diligence in adapting these resources to their use cases.

At this juncture, there are multiple standard vocabularies in use that reflect different perspectives and levels of granularity on the concepts used to convey actions and reasons for actions. Both the AuditEvent and Provenance Resources are making available a number of those vocabularies via resource element bindings.

For example, AuditEvent has four elements that bind to "activity" vocabularies which could be used to convey the same concept where there’s no clear use case for doing so. E.g., a "read" action could be conveyed by AuditEvent.event.type, AuditEvent.event.subtype, AuditEvent.event.action, and AuditEvent.object.lifecycle. Only the AuditEvent.event.type is required, but is there a use case for including the others if the basic action is the same? However, there may be use cases in which both the high level CRUDE action value set is an important addition to a required code from AuditEvent.event.type. E.g., seems helpful where the required code = Audit event: Application Activity has taken place, and not so helpful if the required code = Audit Log has been used. The upshot is that implementers will need to carefully match the concepts in the value set bindings to their use cases to ensure that the level of granularity and concept selections are appropriate. The Security WG would appreciate comments on this, and in particular, how feasible or useful pre-coordination of these multiple activity value sets might be or whether collapsing these into one or two might be more appropriate.

The Security WG would also appreciate feedback from the implementer community on how well they are able to discern and utilize the different contexts in which the rationale for actions is conveyed using the HL7 Purpose of Use vocabulary [V:PurposeOfUse:2.16.840.1.113883.1.11.20448]. At this juncture, AuditEvent binds to this value set in four places:

  • As Purpose of Event – where it’s a machine that is the audited agent
  • As Purpose of Use – which is the Human User’s asserted POU
  • As a Security Label Element – see 3rd Detailed Description below
  • As a Security Label Metadata value Meta.security (Extensible)

The Security WG envisions use cases where these could be used in concert, but that would require system functionality that may not be feasible or beneficial to the implementer community. For example,

  • Purpose of Event when the machine2machine is an EHR server and the user’s client supposedly being used for Treatment
  • End User’s POU is Treatment and Research using e.g., DAF
  • POU Security Label on the participant/target object of the AuditEvent = Legal, which is the POU for e.g., Legal Hold [i.e., no one but Records Management and Legal is supposed to have access but the Access Control System doesn’t do ABAC or the patient’s consent directive does not assent to POU = research, but the audited system has not implemented data segmentation to prevent End User from using the data to research
  • Security Label on the AuditEvent Resource = System administration [because the only permitted use is for system administration/security]

Note that the binding of the value sets discussed above are currently set to extensible rather than example. Concerns have been raised about constraining vocabulary choices during DSTU especially for other jurisdictions. For example, outside of the US, ISO 13606 Purpose of Use codes are more likely used. Security WG would also appreciate feedback on whether these bindings should be example or extensible.

6.5.3 Resource Content

Structure

NameFlagsCard.TypeDescription & Constraintsdoco
.. AuditEvent DomainResourceEvent record kept for security purposes
... event 1..1BackboneElementWhat was done
.... type Σ1..1CodingType/identifier of event
Audit Event ID (Extensible)
.... subtype Σ0..*CodingMore specific type/id for the event
Audit Event Sub-Type (Extensible)
.... action Σ0..1codeType of action performed during the event
AuditEventAction (Required)
.... dateTime Σ1..1instantTime when the event occurred on source
.... outcome Σ0..1codeWhether the event succeeded or failed
AuditEventOutcome (Required)
.... outcomeDesc Σ0..1stringDescription of the event outcome
.... purposeOfEvent Σ0..*CodingThe purposeOfUse of the event
PurposeOfUse (Extensible)
... participant 1..*BackboneElementA person, a hardware device or software process
.... role 0..*CodeableConceptUser roles (e.g. local RBAC codes)
Audit Active Participant Role ID Code (Extensible)
.... reference Σ0..1Reference(Practitioner | Organization | Device | Patient | RelatedPerson)Direct reference to resource
.... userId Σ0..1IdentifierUnique identifier for the user
.... altId 0..1stringAlternative User id e.g. authentication
.... name 0..1stringHuman-meaningful name for the user
.... requestor 1..1booleanWhether user is initiator
.... location 0..1Reference(Location)Where
.... policy 0..*uriPolicy that authorized event
.... media 0..1CodingType of media
Media Type Code (Extensible)
.... network 0..1BackboneElementLogical network location for application activity
..... address 0..1stringIdentifier for the network access point of the user device
..... type 0..1codeThe type of network access point
AuditEventParticipantNetworkType (Required)
.... purposeOfUse 0..*CodingReason given for this user
PurposeOfUse (Extensible)
... source 1..1BackboneElementApplication systems and processes
.... site 0..1stringLogical source location within the enterprise
.... identifier Σ1..1IdentifierThe identity of source detecting the event
.... type 0..*CodingThe type of source where event originated
Audit Event Source Type (Extensible)
... object I0..*BackboneElementSpecific instances of data or objects that have been accessed
Either a name or a query (NOT both)
.... identifier Σ0..1IdentifierSpecific instance of object (e.g. versioned)
.... reference Σ0..1Reference(Any)Specific instance of resource (e.g. versioned)
.... type 0..1CodingType of object involved
AuditEventObjectType (Extensible)
.... role 0..1CodingWhat role the Object played
AuditEventObjectRole (Extensible)
.... lifecycle 0..1CodingLife-cycle stage for the object
AuditEventObjectLifecycle (Extensible)
.... securityLabel 0..*CodingSecurity labels applied to the object
All Security Labels (Extensible)
.... name Σ I0..1stringInstance-specific descriptor for Object
.... description 0..1stringDescriptive text
.... query Σ I0..1base64BinaryActual query for object
.... detail 0..*BackboneElementAdditional Information about the Object
..... type 1..1stringName of the property
..... value 1..1base64BinaryProperty value

doco Documentation for this format

UML Diagram

AuditEvent (DomainResource)EventIdentifier for a family of the event. For example, a menu item, program, rule, policy, function code, application name or URL. It identifies the performed functiontype : Coding [1..1] « Type of event. (Strength=Extensible)Audit Event ID+ »Identifier for the category of eventsubtype : Coding [0..*] « Sub-type of event. (Strength=Extensible)Audit Event Sub-Type+ »Indicator for type of action performed during the event that generated the auditaction : code [0..1] « Indicator for type of action performed during the event that generated the audit. (Strength=Required)AuditEventAction! »The time when the event occurred on the sourcedateTime : instant [1..1]Indicates whether the event succeeded or failedoutcome : code [0..1] « Indicates whether the event succeeded or failed (Strength=Required)AuditEventOutcome! »A free text description of the outcome of the eventoutcomeDesc : string [0..1]The purposeOfUse (reason) that was used during the event being recordedpurposeOfEvent : Coding [0..*] « The reason the activity took place. (Strength=Extensible)PurposeOfUse+ »ParticipantSpecification of the role(s) the user plays when performing the event. Usually the codes used in this element are local codes defined by the role-based access control security system used in the local contextrole : CodeableConcept [0..*] « Role(s) the user plays (from RBAC). (Strength=Extensible)Audit Active Participant Role...+ »Direct reference to a resource that identifies the participantreference : Reference [0..1] « Practitioner|Organization|Device| Patient|RelatedPerson »Unique identifier for the user actively participating in the eventuserId : Identifier [0..1]Alternative Participant Identifier. For a human, this should be a user identifier text string from authentication system. This identifier would be one known to a common authentication system (e.g. single sign-on), if availablealtId : string [0..1]Human-meaningful name for the username : string [0..1]Indicator that the user is or is not the requestor, or initiator, for the event being auditedrequestor : boolean [1..1]Where the event occurredlocation : Reference [0..1] « Location »The policy or plan that authorized the activity being recorded. Typically, a single activity may have multiple applicable policies, such as patient consent, guarantor funding, etc. The policy would also indicate the security token usedpolicy : uri [0..*]Type of media involved. Used when the event is about exporting/importing onto mediamedia : Coding [0..1] « Used when the event is about exporting/importing onto media. (Strength=Extensible)Media Type Code+ »The reason (purpose of use), specific to this participant, that was used during the event being recordedpurposeOfUse : Coding [0..*] « The reason the activity took place. (Strength=Extensible)PurposeOfUse+ »NetworkAn identifier for the network access point of the user device for the audit eventaddress : string [0..1]An identifier for the type of network access point that originated the audit eventtype : code [0..1] « The type of network access point of this participant in the audit event (Strength=Required)AuditEventParticipantNetworkT...! »SourceLogical source location within the healthcare enterprise network. For example, a hospital or other provider location within a multi-entity provider groupsite : string [0..1]Identifier of the source where the event was detectedidentifier : Identifier [1..1]Code specifying the type of source where event originatedtype : Coding [0..*] « Code specifying the type of system that detected and recorded the event. (Strength=Extensible)Audit Event Source Type+ »ObjectIdentifies a specific instance of the participant object. The reference should always be version specificidentifier : Identifier [0..1]Identifies a specific instance of the participant object. The reference should always be version specificreference : Reference [0..1] « Any »The type of the object that was involved in this audit eventtype : Coding [0..1] « Code for the object type involved audited. (Strength=Extensible)AuditEventObjectType+ »Code representing the functional application role of Participant Object being auditedrole : Coding [0..1] « Code representing the role the Object played in the event. (Strength=Extensible)AuditEventObjectRole+ »Identifier for the data life-cycle stage for the participant objectlifecycle : Coding [0..1] « Identifier for the data life-cycle stage for the object. (Strength=Extensible)AuditEventObjectLifecycle+ »Denotes security labels for the identified objectsecurityLabel : Coding [0..*] « Security Labels from the Healthcare Privacy and Security Classification System. (Strength=Extensible)All Security Labels+ »An instance-specific descriptor of the Participant Object ID audited, such as a person's namename : string [0..1]Text that describes the object in more detaildescription : string [0..1]The actual query for a query-type participant objectquery : base64Binary [0..1]DetailName of the propertytype : string [1..1]Property valuevalue : base64Binary [1..1]Identifies the name, action type, time, and disposition of the audited eventevent[1..1]Logical network location for application activity, if the activity has a network locationnetwork[0..1]A person, a hardware device or software processparticipant[1..*]Application systems and processessource[1..1]Additional Information about the Objectdetail[0..*]Specific instances of data or objects that have been accessedobject[0..*]

XML Template

<AuditEvent xmlns="http://hl7.org/fhir"> doco
 <!-- from Resource: id, meta, implicitRules, and language -->
 <!-- from DomainResource: text, contained, extension, and modifierExtension -->
 <event>  <!-- 1..1 What was done -->
  <type><!-- 1..1 Coding Type/identifier of event --></type>
  <subtype><!-- 0..* Coding More specific type/id for the event --></subtype>
  <action value="[code]"/><!-- 0..1 Type of action performed during the event -->
  <dateTime value="[instant]"/><!-- 1..1 Time when the event occurred on source -->
  <outcome value="[code]"/><!-- 0..1 Whether the event succeeded or failed -->
  <outcomeDesc value="[string]"/><!-- 0..1 Description of the event outcome -->
  <purposeOfEvent><!-- 0..* Coding The purposeOfUse of the event --></purposeOfEvent>
 </event>
 <participant>  <!-- 1..* A person, a hardware device or software process -->
  <role><!-- 0..* CodeableConcept User roles (e.g. local RBAC codes) --></role>
  <reference><!-- 0..1 Reference(Practitioner|Organization|Device|Patient|
    RelatedPerson) Direct reference to resource --></reference>
  <userId><!-- 0..1 Identifier Unique identifier for the user --></userId>
  <altId value="[string]"/><!-- 0..1 Alternative User id e.g. authentication -->
  <name value="[string]"/><!-- 0..1 Human-meaningful name for the user -->
  <requestor value="[boolean]"/><!-- 1..1 Whether user is initiator -->
  <location><!-- 0..1 Reference(Location) Where --></location>
  <policy value="[uri]"/><!-- 0..* Policy that authorized event -->
  <media><!-- 0..1 Coding Type of media --></media>
  <network>  <!-- 0..1 Logical network location for application activity -->
   <address value="[string]"/><!-- 0..1 Identifier for the network access point of the user device -->
   <type value="[code]"/><!-- 0..1 The type of network access point -->
  </network>
  <purposeOfUse><!-- 0..* Coding Reason given for this user --></purposeOfUse>
 </participant>
 <source>  <!-- 1..1 Application systems and processes -->
  <site value="[string]"/><!-- 0..1 Logical source location within the enterprise -->
  <identifier><!-- 1..1 Identifier The identity of source detecting the event --></identifier>
  <type><!-- 0..* Coding The type of source where event originated --></type>
 </source>
 <object>  <!-- 0..* Specific instances of data or objects that have been accessed -->
  <identifier><!-- 0..1 Identifier Specific instance of object (e.g. versioned) --></identifier>
  <reference><!-- 0..1 Reference(Any) Specific instance of resource (e.g. versioned) --></reference>
  <type><!-- 0..1 Coding Type of object involved --></type>
  <role><!-- 0..1 Coding What role the Object played --></role>
  <lifecycle><!-- 0..1 Coding Life-cycle stage for the object --></lifecycle>
  <securityLabel><!-- 0..* Coding Security labels applied to the object --></securityLabel>
  <name value="[string]"/><!-- ?? 0..1 Instance-specific descriptor for Object -->
  <description value="[string]"/><!-- 0..1 Descriptive text -->
  <query value="[base64Binary]"/><!-- ?? 0..1 Actual query for object -->
  <detail>  <!-- 0..* Additional Information about the Object -->
   <type value="[string]"/><!-- 1..1 Name of the property -->
   <value value="[base64Binary]"/><!-- 1..1 Property value -->
  </detail>
 </object>
</AuditEvent>

JSON Template

{doco
  "resourceType" : "AuditEvent",
  // from Resource: id, meta, implicitRules, and language
  // from DomainResource: text, contained, extension, and modifierExtension
  "event" : { // R!  What was done
    "type" : { Coding }, // R!  Type/identifier of event
    "subtype" : [{ Coding }], // More specific type/id for the event
    "action" : "<code>", // Type of action performed during the event
    "dateTime" : "<instant>", // R!  Time when the event occurred on source
    "outcome" : "<code>", // Whether the event succeeded or failed
    "outcomeDesc" : "<string>", // Description of the event outcome
    "purposeOfEvent" : [{ Coding }] // The purposeOfUse of the event
  },
  "participant" : [{ // R!  A person, a hardware device or software process
    "role" : [{ CodeableConcept }], // User roles (e.g. local RBAC codes)
    "reference" : { Reference(Practitioner|Organization|Device|Patient|
    RelatedPerson) }, // Direct reference to resource
    "userId" : { Identifier }, // Unique identifier for the user
    "altId" : "<string>", // Alternative User id e.g. authentication
    "name" : "<string>", // Human-meaningful name for the user
    "requestor" : <boolean>, // R!  Whether user is initiator
    "location" : { Reference(Location) }, // Where
    "policy" : ["<uri>"], // Policy that authorized event
    "media" : { Coding }, // Type of media
    "network" : { // Logical network location for application activity
      "address" : "<string>", // Identifier for the network access point of the user device
      "type" : "<code>" // The type of network access point
    },
    "purposeOfUse" : [{ Coding }] // Reason given for this user
  }],
  "source" : { // R!  Application systems and processes
    "site" : "<string>", // Logical source location within the enterprise
    "identifier" : { Identifier }, // R!  The identity of source detecting the event
    "type" : [{ Coding }] // The type of source where event originated
  },
  "object" : [{ // Specific instances of data or objects that have been accessed
    "identifier" : { Identifier }, // Specific instance of object (e.g. versioned)
    "reference" : { Reference(Any) }, // Specific instance of resource (e.g. versioned)
    "type" : { Coding }, // Type of object involved
    "role" : { Coding }, // What role the Object played
    "lifecycle" : { Coding }, // Life-cycle stage for the object
    "securityLabel" : [{ Coding }], // Security labels applied to the object
    "name" : "<string>", // C? Instance-specific descriptor for Object
    "description" : "<string>", // Descriptive text
    "query" : "<base64Binary>", // C? Actual query for object
    "detail" : [{ // Additional Information about the Object
      "type" : "<string>", // R!  Name of the property
      "value" : "<base64Binary>" // R!  Property value
    }]
  }]
}

Structure

NameFlagsCard.TypeDescription & Constraintsdoco
.. AuditEvent DomainResourceEvent record kept for security purposes
... event 1..1BackboneElementWhat was done
.... type Σ1..1CodingType/identifier of event
Audit Event ID (Extensible)
.... subtype Σ0..*CodingMore specific type/id for the event
Audit Event Sub-Type (Extensible)
.... action Σ0..1codeType of action performed during the event
AuditEventAction (Required)
.... dateTime Σ1..1instantTime when the event occurred on source
.... outcome Σ0..1codeWhether the event succeeded or failed
AuditEventOutcome (Required)
.... outcomeDesc Σ0..1stringDescription of the event outcome
.... purposeOfEvent Σ0..*CodingThe purposeOfUse of the event
PurposeOfUse (Extensible)
... participant 1..*BackboneElementA person, a hardware device or software process
.... role 0..*CodeableConceptUser roles (e.g. local RBAC codes)
Audit Active Participant Role ID Code (Extensible)
.... reference Σ0..1Reference(Practitioner | Organization | Device | Patient | RelatedPerson)Direct reference to resource
.... userId Σ0..1IdentifierUnique identifier for the user
.... altId 0..1stringAlternative User id e.g. authentication
.... name 0..1stringHuman-meaningful name for the user
.... requestor 1..1booleanWhether user is initiator
.... location 0..1Reference(Location)Where
.... policy 0..*uriPolicy that authorized event
.... media 0..1CodingType of media
Media Type Code (Extensible)
.... network 0..1BackboneElementLogical network location for application activity
..... address 0..1stringIdentifier for the network access point of the user device
..... type 0..1codeThe type of network access point
AuditEventParticipantNetworkType (Required)
.... purposeOfUse 0..*CodingReason given for this user
PurposeOfUse (Extensible)
... source 1..1BackboneElementApplication systems and processes
.... site 0..1stringLogical source location within the enterprise
.... identifier Σ1..1IdentifierThe identity of source detecting the event
.... type 0..*CodingThe type of source where event originated
Audit Event Source Type (Extensible)
... object I0..*BackboneElementSpecific instances of data or objects that have been accessed
Either a name or a query (NOT both)
.... identifier Σ0..1IdentifierSpecific instance of object (e.g. versioned)
.... reference Σ0..1Reference(Any)Specific instance of resource (e.g. versioned)
.... type 0..1CodingType of object involved
AuditEventObjectType (Extensible)
.... role 0..1CodingWhat role the Object played
AuditEventObjectRole (Extensible)
.... lifecycle 0..1CodingLife-cycle stage for the object
AuditEventObjectLifecycle (Extensible)
.... securityLabel 0..*CodingSecurity labels applied to the object
All Security Labels (Extensible)
.... name Σ I0..1stringInstance-specific descriptor for Object
.... description 0..1stringDescriptive text
.... query Σ I0..1base64BinaryActual query for object
.... detail 0..*BackboneElementAdditional Information about the Object
..... type 1..1stringName of the property
..... value 1..1base64BinaryProperty value

doco Documentation for this format

UML Diagram

AuditEvent (DomainResource)EventIdentifier for a family of the event. For example, a menu item, program, rule, policy, function code, application name or URL. It identifies the performed functiontype : Coding [1..1] « Type of event. (Strength=Extensible)Audit Event ID+ »Identifier for the category of eventsubtype : Coding [0..*] « Sub-type of event. (Strength=Extensible)Audit Event Sub-Type+ »Indicator for type of action performed during the event that generated the auditaction : code [0..1] « Indicator for type of action performed during the event that generated the audit. (Strength=Required)AuditEventAction! »The time when the event occurred on the sourcedateTime : instant [1..1]Indicates whether the event succeeded or failedoutcome : code [0..1] « Indicates whether the event succeeded or failed (Strength=Required)AuditEventOutcome! »A free text description of the outcome of the eventoutcomeDesc : string [0..1]The purposeOfUse (reason) that was used during the event being recordedpurposeOfEvent : Coding [0..*] « The reason the activity took place. (Strength=Extensible)PurposeOfUse+ »ParticipantSpecification of the role(s) the user plays when performing the event. Usually the codes used in this element are local codes defined by the role-based access control security system used in the local contextrole : CodeableConcept [0..*] « Role(s) the user plays (from RBAC). (Strength=Extensible)Audit Active Participant Role...+ »Direct reference to a resource that identifies the participantreference : Reference [0..1] « Practitioner|Organization|Device| Patient|RelatedPerson »Unique identifier for the user actively participating in the eventuserId : Identifier [0..1]Alternative Participant Identifier. For a human, this should be a user identifier text string from authentication system. This identifier would be one known to a common authentication system (e.g. single sign-on), if availablealtId : string [0..1]Human-meaningful name for the username : string [0..1]Indicator that the user is or is not the requestor, or initiator, for the event being auditedrequestor : boolean [1..1]Where the event occurredlocation : Reference [0..1] « Location »The policy or plan that authorized the activity being recorded. Typically, a single activity may have multiple applicable policies, such as patient consent, guarantor funding, etc. The policy would also indicate the security token usedpolicy : uri [0..*]Type of media involved. Used when the event is about exporting/importing onto mediamedia : Coding [0..1] « Used when the event is about exporting/importing onto media. (Strength=Extensible)Media Type Code+ »The reason (purpose of use), specific to this participant, that was used during the event being recordedpurposeOfUse : Coding [0..*] « The reason the activity took place. (Strength=Extensible)PurposeOfUse+ »NetworkAn identifier for the network access point of the user device for the audit eventaddress : string [0..1]An identifier for the type of network access point that originated the audit eventtype : code [0..1] « The type of network access point of this participant in the audit event (Strength=Required)AuditEventParticipantNetworkT...! »SourceLogical source location within the healthcare enterprise network. For example, a hospital or other provider location within a multi-entity provider groupsite : string [0..1]Identifier of the source where the event was detectedidentifier : Identifier [1..1]Code specifying the type of source where event originatedtype : Coding [0..*] « Code specifying the type of system that detected and recorded the event. (Strength=Extensible)Audit Event Source Type+ »ObjectIdentifies a specific instance of the participant object. The reference should always be version specificidentifier : Identifier [0..1]Identifies a specific instance of the participant object. The reference should always be version specificreference : Reference [0..1] « Any »The type of the object that was involved in this audit eventtype : Coding [0..1] « Code for the object type involved audited. (Strength=Extensible)AuditEventObjectType+ »Code representing the functional application role of Participant Object being auditedrole : Coding [0..1] « Code representing the role the Object played in the event. (Strength=Extensible)AuditEventObjectRole+ »Identifier for the data life-cycle stage for the participant objectlifecycle : Coding [0..1] « Identifier for the data life-cycle stage for the object. (Strength=Extensible)AuditEventObjectLifecycle+ »Denotes security labels for the identified objectsecurityLabel : Coding [0..*] « Security Labels from the Healthcare Privacy and Security Classification System. (Strength=Extensible)All Security Labels+ »An instance-specific descriptor of the Participant Object ID audited, such as a person's namename : string [0..1]Text that describes the object in more detaildescription : string [0..1]The actual query for a query-type participant objectquery : base64Binary [0..1]DetailName of the propertytype : string [1..1]Property valuevalue : base64Binary [1..1]Identifies the name, action type, time, and disposition of the audited eventevent[1..1]Logical network location for application activity, if the activity has a network locationnetwork[0..1]A person, a hardware device or software processparticipant[1..*]Application systems and processessource[1..1]Additional Information about the Objectdetail[0..*]Specific instances of data or objects that have been accessedobject[0..*]

XML Template

<AuditEvent xmlns="http://hl7.org/fhir"> doco
 <!-- from Resource: id, meta, implicitRules, and language -->
 <!-- from DomainResource: text, contained, extension, and modifierExtension -->
 <event>  <!-- 1..1 What was done -->
  <type><!-- 1..1 Coding Type/identifier of event --></type>
  <subtype><!-- 0..* Coding More specific type/id for the event --></subtype>
  <action value="[code]"/><!-- 0..1 Type of action performed during the event -->
  <dateTime value="[instant]"/><!-- 1..1 Time when the event occurred on source -->
  <outcome value="[code]"/><!-- 0..1 Whether the event succeeded or failed -->
  <outcomeDesc value="[string]"/><!-- 0..1 Description of the event outcome -->
  <purposeOfEvent><!-- 0..* Coding The purposeOfUse of the event --></purposeOfEvent>
 </event>
 <participant>  <!-- 1..* A person, a hardware device or software process -->
  <role><!-- 0..* CodeableConcept User roles (e.g. local RBAC codes) --></role>
  <reference><!-- 0..1 Reference(Practitioner|Organization|Device|Patient|
    RelatedPerson) Direct reference to resource --></reference>
  <userId><!-- 0..1 Identifier Unique identifier for the user --></userId>
  <altId value="[string]"/><!-- 0..1 Alternative User id e.g. authentication -->
  <name value="[string]"/><!-- 0..1 Human-meaningful name for the user -->
  <requestor value="[boolean]"/><!-- 1..1 Whether user is initiator -->
  <location><!-- 0..1 Reference(Location) Where --></location>
  <policy value="[uri]"/><!-- 0..* Policy that authorized event -->
  <media><!-- 0..1 Coding Type of media --></media>
  <network>  <!-- 0..1 Logical network location for application activity -->
   <address value="[string]"/><!-- 0..1 Identifier for the network access point of the user device -->
   <type value="[code]"/><!-- 0..1 The type of network access point -->
  </network>
  <purposeOfUse><!-- 0..* Coding Reason given for this user --></purposeOfUse>
 </participant>
 <source>  <!-- 1..1 Application systems and processes -->
  <site value="[string]"/><!-- 0..1 Logical source location within the enterprise -->
  <identifier><!-- 1..1 Identifier The identity of source detecting the event --></identifier>
  <type><!-- 0..* Coding The type of source where event originated --></type>
 </source>
 <object>  <!-- 0..* Specific instances of data or objects that have been accessed -->
  <identifier><!-- 0..1 Identifier Specific instance of object (e.g. versioned) --></identifier>
  <reference><!-- 0..1 Reference(Any) Specific instance of resource (e.g. versioned) --></reference>
  <type><!-- 0..1 Coding Type of object involved --></type>
  <role><!-- 0..1 Coding What role the Object played --></role>
  <lifecycle><!-- 0..1 Coding Life-cycle stage for the object --></lifecycle>
  <securityLabel><!-- 0..* Coding Security labels applied to the object --></securityLabel>
  <name value="[string]"/><!-- ?? 0..1 Instance-specific descriptor for Object -->
  <description value="[string]"/><!-- 0..1 Descriptive text -->
  <query value="[base64Binary]"/><!-- ?? 0..1 Actual query for object -->
  <detail>  <!-- 0..* Additional Information about the Object -->
   <type value="[string]"/><!-- 1..1 Name of the property -->
   <value value="[base64Binary]"/><!-- 1..1 Property value -->
  </detail>
 </object>
</AuditEvent>

JSON Template

{doco
  "resourceType" : "AuditEvent",
  // from Resource: id, meta, implicitRules, and language
  // from DomainResource: text, contained, extension, and modifierExtension
  "event" : { // R!  What was done
    "type" : { Coding }, // R!  Type/identifier of event
    "subtype" : [{ Coding }], // More specific type/id for the event
    "action" : "<code>", // Type of action performed during the event
    "dateTime" : "<instant>", // R!  Time when the event occurred on source
    "outcome" : "<code>", // Whether the event succeeded or failed
    "outcomeDesc" : "<string>", // Description of the event outcome
    "purposeOfEvent" : [{ Coding }] // The purposeOfUse of the event
  },
  "participant" : [{ // R!  A person, a hardware device or software process
    "role" : [{ CodeableConcept }], // User roles (e.g. local RBAC codes)
    "reference" : { Reference(Practitioner|Organization|Device|Patient|
    RelatedPerson) }, // Direct reference to resource
    "userId" : { Identifier }, // Unique identifier for the user
    "altId" : "<string>", // Alternative User id e.g. authentication
    "name" : "<string>", // Human-meaningful name for the user
    "requestor" : <boolean>, // R!  Whether user is initiator
    "location" : { Reference(Location) }, // Where
    "policy" : ["<uri>"], // Policy that authorized event
    "media" : { Coding }, // Type of media
    "network" : { // Logical network location for application activity
      "address" : "<string>", // Identifier for the network access point of the user device
      "type" : "<code>" // The type of network access point
    },
    "purposeOfUse" : [{ Coding }] // Reason given for this user
  }],
  "source" : { // R!  Application systems and processes
    "site" : "<string>", // Logical source location within the enterprise
    "identifier" : { Identifier }, // R!  The identity of source detecting the event
    "type" : [{ Coding }] // The type of source where event originated
  },
  "object" : [{ // Specific instances of data or objects that have been accessed
    "identifier" : { Identifier }, // Specific instance of object (e.g. versioned)
    "reference" : { Reference(Any) }, // Specific instance of resource (e.g. versioned)
    "type" : { Coding }, // Type of object involved
    "role" : { Coding }, // What role the Object played
    "lifecycle" : { Coding }, // Life-cycle stage for the object
    "securityLabel" : [{ Coding }], // Security labels applied to the object
    "name" : "<string>", // C? Instance-specific descriptor for Object
    "description" : "<string>", // Descriptive text
    "query" : "<base64Binary>", // C? Actual query for object
    "detail" : [{ // Additional Information about the Object
      "type" : "<string>", // R!  Name of the property
      "value" : "<base64Binary>" // R!  Property value
    }]
  }]
}

 

Alternate definitions: Schema/Schematron, Resource Profile (XML, JSON), Questionnaire

6.5.3.1 Terminology Bindings

PathDefinitionTypeReference
AuditEvent.event.type Type of event.ExtensibleAudit Event ID
AuditEvent.event.subtype Sub-type of event.ExtensibleAudit Event Sub-Type
AuditEvent.event.action Indicator for type of action performed during the event that generated the audit.RequiredAuditEventAction
AuditEvent.event.outcome Indicates whether the event succeeded or failedRequiredAuditEventOutcome
AuditEvent.event.purposeOfEvent
AuditEvent.participant.purposeOfUse
The reason the activity took place.ExtensiblePurposeOfUse
AuditEvent.participant.role Role(s) the user plays (from RBAC).ExtensibleAudit Active Participant Role ID Code
AuditEvent.participant.media Used when the event is about exporting/importing onto media.ExtensibleMedia Type Code
AuditEvent.participant.network.type The type of network access point of this participant in the audit eventRequiredAuditEventParticipantNetworkType
AuditEvent.source.type Code specifying the type of system that detected and recorded the event.ExtensibleAudit Event Source Type
AuditEvent.object.type Code for the object type involved audited.ExtensibleAuditEventObjectType
AuditEvent.object.role Code representing the role the Object played in the event.ExtensibleAuditEventObjectRole
AuditEvent.object.lifecycle Identifier for the data life-cycle stage for the object.ExtensibleAuditEventObjectLifecycle
AuditEvent.object.securityLabel Security Labels from the Healthcare Privacy and Security Classification System.ExtensibleAll Security Labels

6.5.3.2 Constraints

  • sev-1: On AuditEvent.object: Either a name or a query (NOT both) (xpath on f:AuditEvent/f:object: not(exists(f:name)) or not(exists(f:query)))

6.5.3.3 Using Coded Values

The AuditEvent resource and the ATNA Audit record are used in many contexts throughout healthcare. The coded values defined in the "extensible" bindings above are those widely used and/or defined by DICOM, IHE or ISO, who all defined these codes to meet very specific use cases. These codes should be used when they are suitable, or other codes can be defined.

The set of codes defined for this resource is expected to grow over time, and additional codes may be proposed / requested using the community input link above.

6.5.3.4 Event codes for Common Scenarios

This table summarizes common event scenarios, and the codes that should be used for each case.

ScenariotypesubtypeactionOther
User Login (example)110114 User Authentication110122 User Authentication E ExecuteOne participant which contains the details of the logged in user.
User Logout (example)110114 User Authentication110123 User Logout E ExecuteOne participant which contains the details of the logged out user.
REST operation logged on server (example)rest RESTful Operation[code] defined for operation * (see below)Participant for logged in user, if available, and one object with a reference, if at least the type is known as part of the operation. Reference.url should be provided to the granularity known.
Search operation logged on server (example)rest RESTful Operation[code] defined for operation E ExecuteParticipant for logged in user, if available, and one object with a query element.

Audit Event Actions for RESTful operations:

OperationAction
createC
read, vread, history-instance, history-type, history-systemR
updateU
deleteD
transaction, operation, conformance, validate, search, search-type, search-systemE

6.5.4 Search Parameters

Search parameters for this resource. The common parameters also apply. See Searching for more information about searching in REST, messaging, and services.

NameTypeDescriptionPaths
actiontokenType of action performed during the eventAuditEvent.event.action
addresstokenIdentifier for the network access point of the user deviceAuditEvent.participant.network.address
altidtokenAlternative User id e.g. authenticationAuditEvent.participant.altId
datedateTime when the event occurred on sourceAuditEvent.event.dateTime
descstringInstance-specific descriptor for ObjectAuditEvent.object.name
identitytokenSpecific instance of object (e.g. versioned)AuditEvent.object.identifier
namestringHuman-meaningful name for the userAuditEvent.participant.name
object-typetokenType of object involvedAuditEvent.object.type
participantreferenceDirect reference to resourceAuditEvent.participant.reference
(Device, Patient, Organization, Practitioner, RelatedPerson)
patientreferenceDirect reference to resourceAuditEvent.participant.reference, AuditEvent.object.reference
(Patient)
policyuriPolicy that authorized eventAuditEvent.participant.policy
referencereferenceSpecific instance of resource (e.g. versioned)AuditEvent.object.reference
(Any)
sitetokenLogical source location within the enterpriseAuditEvent.source.site
sourcetokenThe identity of source detecting the eventAuditEvent.source.identifier
subtypetokenMore specific type/id for the eventAuditEvent.event.subtype
typetokenType/identifier of eventAuditEvent.event.type
usertokenUnique identifier for the userAuditEvent.participant.userId