View Source

Overview

The Audit Trail and Node Authentication (ATNA) Profile specifies the foundational elements needed by all forms of secure systems: node authentication, user authentication, event logging (audit), and telecommunications encryption. It is also used to indicate that other internal security properties such as access control, configuration control, and privilege restrictions are provided.

For details, see IHE Audit Trail and Node Authentication (ATNA) profile and RESTful ATNA Supplement.

Actors and Transactions

The following diagram provides an overview of the ATNA profile Actors, Transactions and their interactions.

Reference Architecture v0.1.1 DFT > Audit Trail and Node Authentication (ATNA) > ATNA-profile2.png

The table below lists the transactions for each actor directly involved in the ATNA profile. To claim compliance with ATNA, an actor shall support all required transactions (labeled “R”) and may support the optional transactions (labeled “O”).

Actor	Transaction	Optionality
Audit Record Repository	Record Audit Event [ITI-20] Retrieve ATNA Audit Event [ITI-81] Retrieve Syslog Event [ITI-82]	R O O
Audit Consumer	Retrieve ATNA Audit Event [ITI-81] Retrieve Syslog Event [ITI-82]	O O
Audit Record Forwarder	Record Audit Event [ITI-20]	R
Secure Node	Authenticate Node [ITI-19] Record Audit Event [ITI-20]	R R
Secure Application	Authenticate Node [ITI-19] Record Audit Event [ITI-20]	R R

Transactions

Authenticate Node [ITI-19] – In the Authenticate Node transaction, the local Secure Node presents its identity to a remote Secure Node and authenticates the identity of the remote node. After this mutual authentication, other secure transactions may take place through this secure pipe between the two nodes. Uses RFC5246 - Transport Layer Security (TLS) Protocol Version 1.2 and RFC3851 - Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.1 Message Specification protocols.
Record Audit Event [ITI-20] – This transaction is used to report auditable events to an Audit Record Repository. Uses RFC5424 – Syslog over TLS 1.2 or UDP protocols.
Retrieve ATNA Audit Event [ITI-81] – This transaction is used to search ATNA events recorded in an ATNA Audit Record Repository. The result is a FHIR bundle of AuditEvent Resources that match a set of search parameters.
Retrieve Syslog Event [ITI-82] – This transaction is used to retrieve syslog messages from the Audit Record Repository subject to parameters that limit the retrieval.

Sequence Diagram

Reference Architecture v0.1.1 DFT > Audit Trail and Node Authentication (ATNA) > ATNA_SD.png

Canadian Implementation Guidance for ATNA - CA:Sec and CA:Aud

The ATNA profile addresses two main concerns: Security and Event Logging for the purpose of Auditing. Given the fact that Security and Auditing are tightly coupled, along with the multiple options offered for both aspects, ATNA is a complex profile with extensive documentation.

CA:Sec and CA:Aud implementation guidance were introduced to allow for a lightweight ATNA, bring improvements by decoupling the two main aspects of ATNA: Security and Audit, and focus on a few options for modern formats and technologies. This guidance is not replacing ATNA. An implementation that is already compliant with ATNA will be able to pass ATNA tests.

The following diagram presents how the Canadian implementation guidance has segmented the key components of ATNA.

Reference Architecture v0.1.1 DFT > Audit Trail and Node Authentication (ATNA) > ATNA-profiles2.png

The section below provides comparison tables between the full ATNA profile and the options selected for CA:Sec and CA:Aud.

The following notation definitions are used throughout this section:

Optionality notation is defined as:

R	Required
O	Optional

Transport Protocol notation is defined as:

STX prefix	Secure transport protocol
ATX prefix	Audit transport protocol

Actors/Transactions

ATNA

Actors	Transactions	Optionality
Secure Node	Authenticate Node [ITI-19]	R
Secure Node	Record Audit Event [ITI-20]	R
Secure Application	Authenticate Node [ITI-19]	R
Secure Application	Record Audit Event [ITI-20]	R
Audit Record Repository	Record Audit Event [ITI-20]	R
	Retrieve ATNA Audit Event [ITI-81]	O
	Retrieve Syslog Event [ITI-82]	O
Audit Consumer	Retrieve ATNA Audit Event [ITI-81]	O
Audit Consumer	Retrieve Syslog Event [ITI-82]	O
Audit Record Forwarder	Record Audit Event [ITI-20]	R

CA:Sec

Actors	Transactions	Optionality
Secure Application	Authenticate Node [ITI-19]	R

CA:Aud

Actors	Transactions	Optionality
Audit Creator	Record Audit Event [ITI-20]	O (Note 1)
Audit Record Repository	Record Audit Event [ITI-20]	O (Note 1)
Audit Record Repository	Retrieve ATNA Audit Event [ITI-81]	O (Note 2)
Audit Record Forwarder	Record Audit Event [ITI-20]	O (Note 1)
Audit Consumer	Retrieve ATNA Audit Event [ITI-81]	R

Note 1: The audit events must be recorded using the IHE Record Audit Event [ITI-20] with FHIR Feed option or other (IHE or non-IHE) methods.

Note 2: This transaction is required if the Audit Record Repository is central.

Notes

ATNA defines two actors with similar role: Secure Node and Secure Application, that fulfill roles in both Security and Audit aspects via mandatory transaction requirements. This causes Security and Audit to be tightly coupled, meaning that to exchange secure communication, auditing also must be implemented as defined by ATNA.
The audit messages must be recorded by means defined by ATNA.
CA:Sec defines a single actor and a single transaction for secure communication.
CA:Aud defines actors that are responsible for auditing only. Secure communication is recommended to be achieved via actor grouping with the CA:Sec actor.
The audit messages can be recorded by any means, using either IHE transaction ITI-20 with FHIR option or any other (IHE or non-IHE) methods. The messages must be made available for retrieval in FHIR format via IHE transaction ITI-81.

Actor Options

ATNA

Actor	Options
Audit Record Repository	Retrieve Audit Message
	Retrieve Syslog Message
	ATX: FHIR Feed
	ATX: TLS Syslog
	ATX: UDP Syslog
Audit Consumer	Retrieve Audit Message
Audit Consumer	Retrieve Syslog Message
Audit Record Forwarder	ATX: FHIR Feed
	ATX: TLS Syslog
	ATX: UDP Syslog
Secure Node	Radiology Audit Trail
	FQDN Validation of Server Certificate
	STX: No Secure Transport
	STX: TLS 1.2 Floor using BCP195
	STX: S/MIME
	STX: WS-Security
	STX: HTTPS IUA
	ATX: FHIR Feed
	ATX: TLS Syslog
	ATX: UDP Syslog
Secure Application	Radiology Audit Trail
	FQDN Validation of Server Certificate
	STX: No Secure Transport
	STX: TLS 1.2 Floor using BCP195
	STX: S/MIME
	STX: WS-Security
	STX: HTTPS IUA
	ATX: FHIR Feed
	ATX: TLS Syslog
	ATX: UDP Syslog

CA:Sec

Actor	Options	Optionality
Secure Application	Mutual TLS	O (Note 1)
	Server-side TLS	O (Note 1)
	FQDN Validation of Server Certificate	R

Note 1: The Secure Application shall support one of the following options: Mutual TLS or Server-side TLS.

CA:Aud

Actor	Options	Optionality
Audit Creator	FHIR Feed	O (Note 1)
Audit Record Repository	FHIR Feed	O (Note 1)
Audit Record Repository	Retrieve Audit Message	O (Note 2)
Audit Record Forwarder	FHIR Feed	O (Note 1)
Audit Consumer	Retrieve Audit Message	R

Note 1: The audit events must be recorded using the IHE Record Audit Event [ITI-20] with FHIR Feed option or other (IHE or non-IHE) methods.

Note 2: This transaction is required if the Audit Record Repository is central.

Notes:

ATNA offers many actor options
CA:Sec and CA:Aud are focusing on a small subset of the ATNA options.
CA:Sec options also improve security with recommendations for higher versions of TLS protocol and stronger cipher suites

Required Actor Groupings

ATNA

ATNA Actor	Actor(s) to be grouped with
Audit Record Repository	Consistent Time / Time Client
Audit Record Repository	ATNA / Secure Node or Secure Application
Audit Consumer	ATNA / Secure Node or Secure Application
Audit Record Forwarder	Consistent Time / Time Client
	ATNA / Secure Node or Secure Application
	ATNA / Audit Record Repository
Secure Node	Consistent Time / Time Client
Secure Application	Consistent Time / Time Client

CA:Sec and CA:Aud

None

Notes:

ATNA requires multiple mandatory actor groupings.
CA:Sec and CA:Aud do not require mandatory actor groupings.

Actor grouping is optional and is recommended to achieve additional functionality such as System Time Synchronization or Security and Auditing.