1 / 14

Auditing for Accountability in Healthcare

Learn about the importance of auditing controls in healthcare, including access control, monitoring behavior, and local security policies. Explore how audit and access control coexist, with a focus on different audit systems and emerging audit message schemas.

shandra
Download Presentation

Auditing for Accountability in Healthcare

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Auditing for Accountability in Healthcare Robert Horn, Agfa, Glen Marshall, Siemens

  2. Security Methods • Access Control • Get permission before allowing action • Suitable for situations, e.g. restricting access to authorized medical staff • Audit Control • Allow action without interference, trusting the judgement of the staff. • Monitor behavior to detect and correct errors. • Both have a place in security systems • Local security policies determine what is handled by access control, and what is handled by audit controls.

  3. Audit System Audit Control: Local Policy determines what events to report, and when. Security Audit Message Standard Defines how to describe events Repository Local Policy determines what reports to keep, analyze, etc. Access Control Activity Event Encode a Description Report? Send to Repository

  4. Standards Efforts • IETF - Security Audit Message structure (similar to HL7 version 3 XML structures) • HL7 – Define descriptions of potentially auditable events in the HL7 domain, utilizing the IETF structure • DICOM – Define descriptions of potentially auditable events in the DICOM domain, utilizing the IETF structure

  5. Existing Audit Message • Interim effort by IHE • Radiology-centric view of events • Demonstrated functional capabilities • Part of the IHE Technical Framework • Provides a basis for evaluating the more general solution being developed by IETF, HL7, DICOM, and ASTM • Will coexist with the more general solution, and gradually be replaced by the more general solution.

  6. Emerging Audit Message • New Effort for IHE IT Infrastructure 2004+ • Informed by DICOM, HL7, ASTM, and IHE • Posted as IETF Internet Draft, leading to RFC • Anticipates an enterprise audit repository • Supports uniform policy administration • Enables integration of security surveillance • Provides extensibility to accommodates various government regulations plus enterprise and local policies

  7. Emerging Audit Message Schema(1)

  8. EventActionCode EventDateTime EventOutcomeIndicator Emerging Audit Message Schema(2)

  9. UserID AlternativeUserID UserName UserIsRequestor NetworkAccessPointID NetworkAccessPointTypeCode Emerging Audit Message Schema(3)

  10. AuditEnterpriseSiteID AuditSourceID Emerging Audit Message Schema(4)

  11. ParticipantObjectID ParticipantObjectTypeCode ParticipantObjectTypeCodeRole ParticipantObjectDataLifeCycle ParticipantObjectSensitivity Emerging Audit Message Schema(5)

  12. Emerging Audit Message • Extensibility • Is a fully conformant XML Schema • Direct extension: add elements • Restriction: constrain values • Vocabulary: reference to externally defined nomenclature from any source

  13. Questions?

  14. Thank You!

More Related