2nd DSTU Draft For Comment
This page is part of the FHIR Specification (v0.4.0: DSTU 2 Draft). The current version which supercedes this version is 5.0.0. For a full list of available versions, see the Directory of published versions 
This resource maintained by the Security Work Group
A record of an event made for purposes of maintaining a security log. Typical uses include detection of intrusion attempts and monitoring for inappropriate usage.
The security event is based on the ATNA Audit record definitions, originally from RFC 3881, and now managed by DICOM (see DICOM Part 15 Annex A5). This resource is managed collaboratively between HL7, DICOM, and IHE for the MHD/mHealth initiatives.
The primary purpose of this resource is the maintenance of audit log information. However, it can also be used for simple event-based notification or even general indexing of resources stored in a variety of repositories.
Servers that provide support for Security Event resources should not generally accept update or delete operations on the resources, as this would compromise the integrity of the audit record.
Security Events are created as events occur, to track and audit the events. Security Event resources are often (though not exclusively) created by the application responding to the read/query/create/update etc. event. A Provenance resource contains overlapping information, but is a record-keeping assertion that gathers information about the context in which the information in a resource was obtained. Provenance resources are prepared by the application that initiates the create/update etc. of the resource.
Structure
| Name | Flags | Card. | Type | Description & Constraints |
|---|---|---|---|---|
  SecurityEvent | DomainResource | Event record kept for security purposes | ||
  event | 1..1 | Element | What was done | |
  type | 1..1 | CodeableConcept | Type/identifier of event SecurityEventType (Incomplete) | |
| subtype | 0..* | CodeableConcept | More specific type/id for the event SecurityEventSubType (Incomplete) | |
 action | 0..1 | code | Type of action performed during the event SecurityEventAction (Required) | |
| dateTime | 1..1 | instant | Time when the event occurred on source | |
| outcome | 0..1 | code | Whether the event succeeded or failed SecurityEventOutcome (Required) | |
 outcomeDesc | 0..1 | string | Description of the event outcome | |
| participant | I | 1..* | Element | A person, a hardware device or software process Either a userId or a reference, but not both |
| role | 0..* | CodeableConcept | User roles (e.g. local RBAC codes) DICOMRoleId (Incomplete) | |
 reference | I | 0..1 | Practitioner | Patient | Device | Direct reference to resource |
| userId | I | 0..1 | string | Unique identifier for the user |
| altId | 0..1 | string | Alternative User id e.g. authentication | |
| name | 0..1 | string | Human-meaningful name for the user | |
| requestor | 1..1 | boolean | Whether user is initiator | |
| media | 0..1 | Coding | Type of media | |
| network | 0..1 | Element | Logical network location for application activity | |
 identifier | 0..1 | string | Identifier for the network access point of the user device | |
| type | 0..1 | code | The type of network access point SecurityEventParticipantNetworkType (Required) | |
| source | 1..1 | Element | Application systems and processes | |
| site | 0..1 | string | Logical source location within the enterprise | |
| identifier | 1..1 | string | The id of source where event originated | |
| type | 0..* | Coding | The type of source where event originated SecurityEventSourceType (Incomplete) | |
| object | I | 0..* | Element | Specific instances of data or objects that have been accessed Either an identifier or a reference, but not both Either a name or a query (or both) |
| identifier | I | 0..1 | Identifier | Specific instance of object (e.g. versioned) |
| reference | I | 0..1 | Any | Specific instance of resource (e.g. versioned) |
| type | 0..1 | code | Object type being audited SecurityEventObjectType (Required) | |
| role | 0..1 | code | Functional application role of Object SecurityEventObjectRole (Required) | |
| lifecycle | 0..1 | code | Life-cycle stage for the object SecurityEventObjectLifecycle (Required) | |
| sensitivity | 0..1 | CodeableConcept | Policy-defined sensitivity for the object SecurityEventObjectSensitivity (Example) | |
| name | I | 0..1 | string | Instance-specific descriptor for Object |
| description | 0..1 | string | Descriptive text | |
| query | I | 0..1 | base64Binary | Actual query for object |
| detail | 0..* | Element | Additional Information about the Object | |
| type | 1..1 | string | Name of the property | |
| value | 1..1 | base64Binary | Property value |
UML Diagram
XML Template
<SecurityEvent xmlns="http://hl7.org/fhir"><!-- from Resource: id, meta, implicitRules, and language --> <!-- from DomainResource: text, contained, extension, and modifierExtension --> <event> <!-- 1..1 What was done --> <type><!-- 1..1 CodeableConcept Type/identifier of event --></type> <subtype><!-- 0..* CodeableConcept More specific type/id for the event --></subtype> <action value="[code]"/><!-- 0..1 Type of action performed during the event --> <dateTime value="[instant]"/><!-- 1..1 Time when the event occurred on source --> <outcome value="[code]"/><!-- 0..1 Whether the event succeeded or failed --> <outcomeDesc value="[string]"/><!-- 0..1 Description of the event outcome --> </event> <participant> <!-- 1..* A person, a hardware device or software process --> <role><!-- 0..* CodeableConcept User roles (e.g. local RBAC codes) --></role> <reference><!--
0..1 Reference(Practitioner|Patient|Device) Direct reference to resource --></reference> <userId value="[string]"/><!--
JSON Template
{
"resourceType" : "SecurityEvent",
// from Resource: id, meta, implicitRules, and language
// from DomainResource: text, contained, extension, and modifierExtension
"event" : { // R! What was done
"type" : { CodeableConcept }, // R! Type/identifier of event
"subtype" : [{ CodeableConcept }], // More specific type/id for the event
"action" : "<code>", // Type of action performed during the event
"dateTime" : "<instant>", // R! Time when the event occurred on source
"outcome" : "<code>", // Whether the event succeeded or failed
"outcomeDesc" : "<string>" // Description of the event outcome
},
"participant" : [{ // R! A person, a hardware device or software process
"role" : [{ CodeableConcept }], // User roles (e.g. local RBAC codes)
"reference" : { Reference(Practitioner|Patient|Device) }, // C? Direct reference to resource
"userId" : "<string>", // C? Unique identifier for the user
"altId" : "<string>", // Alternative User id e.g. authentication
"name" : "<string>", // Human-meaningful name for the user
"requestor" : <boolean>, // R! Whether user is initiator
"media" : { Coding }, // Type of media
"network" : { // Logical network location for application activity
"identifier" : "<string>", // Identifier for the network access point of the user device
"type" : "<code>" // The type of network access point
}
}],
"source" : { // R! Application systems and processes
"site" : "<string>", // Logical source location within the enterprise
"identifier" : "<string>", // R! The id of source where event originated
"type" : [{ Coding }] // The type of source where event originated
},
"object" : [{ // Specific instances of data or objects that have been accessed
"identifier" : { Identifier }, // C? Specific instance of object (e.g. versioned)
"reference" : { Reference(Any) }, // C? Specific instance of resource (e.g. versioned)
"type" : "<code>", // Object type being audited
"role" : "<code>", // Functional application role of Object
"lifecycle" : "<code>", // Life-cycle stage for the object
"sensitivity" : { CodeableConcept }, // Policy-defined sensitivity for the object
"name" : "<string>", // C? Instance-specific descriptor for Object
"description" : "<string>", // Descriptive text
"query" : "<base64Binary>", // C? Actual query for object
"detail" : [{ // Additional Information about the Object
"type" : "<string>", // R! Name of the property
"value" : "<base64Binary>" // R! Property value
}]
}]
}
Structure
| Name | Flags | Card. | Type | Description & Constraints |
|---|---|---|---|---|
| SecurityEvent | DomainResource | Event record kept for security purposes | ||
| event | 1..1 | Element | What was done | |
| type | 1..1 | CodeableConcept | Type/identifier of event SecurityEventType (Incomplete) | |
| subtype | 0..* | CodeableConcept | More specific type/id for the event SecurityEventSubType (Incomplete) | |
| action | 0..1 | code | Type of action performed during the event SecurityEventAction (Required) | |
| dateTime | 1..1 | instant | Time when the event occurred on source | |
| outcome | 0..1 | code | Whether the event succeeded or failed SecurityEventOutcome (Required) | |
| outcomeDesc | 0..1 | string | Description of the event outcome | |
| participant | I | 1..* | Element | A person, a hardware device or software process Either a userId or a reference, but not both |
| role | 0..* | CodeableConcept | User roles (e.g. local RBAC codes) DICOMRoleId (Incomplete) | |
| reference | I | 0..1 | Practitioner | Patient | Device | Direct reference to resource |
| userId | I | 0..1 | string | Unique identifier for the user |
| altId | 0..1 | string | Alternative User id e.g. authentication | |
| name | 0..1 | string | Human-meaningful name for the user | |
| requestor | 1..1 | boolean | Whether user is initiator | |
| media | 0..1 | Coding | Type of media | |
| network | 0..1 | Element | Logical network location for application activity | |
| identifier | 0..1 | string | Identifier for the network access point of the user device | |
| type | 0..1 | code | The type of network access point SecurityEventParticipantNetworkType (Required) | |
| source | 1..1 | Element | Application systems and processes | |
| site | 0..1 | string | Logical source location within the enterprise | |
| identifier | 1..1 | string | The id of source where event originated | |
| type | 0..* | Coding | The type of source where event originated SecurityEventSourceType (Incomplete) | |
| object | I | 0..* | Element | Specific instances of data or objects that have been accessed Either an identifier or a reference, but not both Either a name or a query (or both) |
| identifier | I | 0..1 | Identifier | Specific instance of object (e.g. versioned) |
| reference | I | 0..1 | Any | Specific instance of resource (e.g. versioned) |
| type | 0..1 | code | Object type being audited SecurityEventObjectType (Required) | |
| role | 0..1 | code | Functional application role of Object SecurityEventObjectRole (Required) | |
| lifecycle | 0..1 | code | Life-cycle stage for the object SecurityEventObjectLifecycle (Required) | |
| sensitivity | 0..1 | CodeableConcept | Policy-defined sensitivity for the object SecurityEventObjectSensitivity (Example) | |
| name | I | 0..1 | string | Instance-specific descriptor for Object |
| description | 0..1 | string | Descriptive text | |
| query | I | 0..1 | base64Binary | Actual query for object |
| detail | 0..* | Element | Additional Information about the Object | |
| type | 1..1 | string | Name of the property | |
| value | 1..1 | base64Binary | Property value |
XML Template
<SecurityEvent xmlns="http://hl7.org/fhir">
JSON Template
{
"resourceType" : "SecurityEvent",
// from Resource: id, meta, implicitRules, and language
// from DomainResource: text, contained, extension, and modifierExtension
"event" : { // R! What was done
"type" : { CodeableConcept }, // R! Type/identifier of event
"subtype" : [{ CodeableConcept }], // More specific type/id for the event
"action" : "<code>", // Type of action performed during the event
"dateTime" : "<instant>", // R! Time when the event occurred on source
"outcome" : "<code>", // Whether the event succeeded or failed
"outcomeDesc" : "<string>" // Description of the event outcome
},
"participant" : [{ // R! A person, a hardware device or software process
"role" : [{ CodeableConcept }], // User roles (e.g. local RBAC codes)
"reference" : { Reference(Practitioner|Patient|Device) }, // C? Direct reference to resource
"userId" : "<string>", // C? Unique identifier for the user
"altId" : "<string>", // Alternative User id e.g. authentication
"name" : "<string>", // Human-meaningful name for the user
"requestor" : <boolean>, // R! Whether user is initiator
"media" : { Coding }, // Type of media
"network" : { // Logical network location for application activity
"identifier" : "<string>", // Identifier for the network access point of the user device
"type" : "<code>" // The type of network access point
}
}],
"source" : { // R! Application systems and processes
"site" : "<string>", // Logical source location within the enterprise
"identifier" : "<string>", // R! The id of source where event originated
"type" : [{ Coding }] // The type of source where event originated
},
"object" : [{ // Specific instances of data or objects that have been accessed
"identifier" : { Identifier }, // C? Specific instance of object (e.g. versioned)
"reference" : { Reference(Any) }, // C? Specific instance of resource (e.g. versioned)
"type" : "<code>", // Object type being audited
"role" : "<code>", // Functional application role of Object
"lifecycle" : "<code>", // Life-cycle stage for the object
"sensitivity" : { CodeableConcept }, // Policy-defined sensitivity for the object
"name" : "<string>", // C? Instance-specific descriptor for Object
"description" : "<string>", // Descriptive text
"query" : "<base64Binary>", // C? Actual query for object
"detail" : [{ // Additional Information about the Object
"type" : "<string>", // R! Name of the property
"value" : "<base64Binary>" // R! Property value
}]
}]
}
Alternate definitions: Schema/Schematron, Resource Profile (XML, JSON), Questionnaire
| Path | Definition | Type | Reference |
|---|---|---|---|
| SecurityEvent.event.type | Type of event | Incomplete | http://hl7.org/fhir/vs/security-event-type |
| SecurityEvent.event.subtype | Sub-type of event | Incomplete | http://hl7.org/fhir/vs/security-event-sub-type |
| SecurityEvent.event.action | Indicator for type of action performed during the event that generated the audit. | Fixed | http://hl7.org/fhir/security-event-action |
| SecurityEvent.event.outcome | Indicates whether the event succeeded or failed | Fixed | http://hl7.org/fhir/security-event-outcome |
| SecurityEvent.participant.role | Role(s) the user plays (from RBAC) | Incomplete | http://hl7.org/fhir/vs/dicm-402-roleid |
| SecurityEvent.participant.network.type | The type of network access point that originated the audit event | Fixed | http://hl7.org/fhir/network-type |
| SecurityEvent.source.type | Code specifying the type of source where event originated | Incomplete | http://hl7.org/fhir/vs/security-source-type |
| SecurityEvent.object.type | Code for the participant object type being audited | Fixed | http://hl7.org/fhir/object-type |
| SecurityEvent.object.role | Code representing the functional application role of Participant Object being audited | Fixed | http://hl7.org/fhir/object-role |
| SecurityEvent.object.lifecycle | Identifier for the data life-cycle stage for the participant object | Fixed | http://hl7.org/fhir/object-lifecycle |
| SecurityEvent.object.sensitivity | The sensitivity of an object in a security event resource. May also encompass confidentiality and rudimentary access control | Example | http://hl7.org/fhir/vs/security-event-sensitivity |
The security event resource and the ATNA Audit record are used in many contexts through healthcare. The coded values defined in the "extensible" bindings above are those widely used and/or defined by DICOM, IHE or ISO, who all defined these codes to meet very specific use cases. These codes should be used when the are suitable, or other codes can be defined.
The set of codes defined for this resource are expected to grow over time, and additional codes may be proposed / requested using the community input link above.
This table summarizes common event scenarios, and the codes that should be used for each case.
| Scenario | type | subtype | action | Other |
| User Login (example) | 110114 User Authentication | 110122 User Authentication | E Execute | One participant which contains the details of the logged in user |
| OAuth based User Login | 110114 User Authentication | 110122 User Authentication | E Execute | todo |
| User Logout (example) | 110114 User Authentication | 110123 User Logout | E Execute | One participant which contains the details of the logged out user |
| REST operation logged on server (example) | rest RESTful Operation | [code] defined for operation | * (see below) | Participant for logged in user, if available, and one object with a reference if at least the type is known as part of the operation. Reference.url should be provided to the granularity known |
Security Event Actions for RESTful operations:
| Operation | Action |
| create | C |
| read, vread, tags-get, history-instance, history-type, history-system | R |
| update, tags-update | U |
| delete, tags-delete | D |
| search, validate, transaction, conformance, mailbox | E |
Search parameters for this resource. The common parameters also apply. See Searching for more information about searching in REST, messaging, and services.
| Name | Type | Description | Paths |
| action | token | Type of action performed during the event | SecurityEvent.event.action |
| address | token | Identifier for the network access point of the user device | SecurityEvent.participant.network.identifier |
| altid | token | Alternative User id e.g. authentication | SecurityEvent.participant.altId |
| date | date | Time when the event occurred on source | SecurityEvent.event.dateTime |
| desc | string | Instance-specific descriptor for Object | SecurityEvent.object.name |
| identity | token | Specific instance of object (e.g. versioned) | SecurityEvent.object.identifier |
| name | string | Human-meaningful name for the user | SecurityEvent.participant.name |
| object-type | token | Object type being audited | SecurityEvent.object.type |
| patient | reference | A patient that the .object.reference refers to | (Patient) |
| patientid | token | The id of the patient (one of multiple kinds of participations) | |
| reference | reference | Specific instance of resource (e.g. versioned) | SecurityEvent.object.reference (Any) |
| site | token | Logical source location within the enterprise | SecurityEvent.source.site |
| source | token | The id of source where event originated | SecurityEvent.source.identifier |
| subtype | token | More specific type/id for the event | SecurityEvent.event.subtype |
| type | token | Type/identifier of event | SecurityEvent.event.type |
| user | token | Unique identifier for the user | SecurityEvent.participant.userId |
© HL7.org 2011+. FHIR DSTU (v0.4.0-4167) generated on Mon, Feb 23, 2015 09:23+1100.
Links: What's a DSTU? |
Version History |
Compare to DSTU1 |
|
Propose a change