CA:Aud specifies foundational components that are focused on:
- Event Logging (Audit)
Successful implementation of CA:Aud also requires the existence and support of:
- Secure Communication
- System Security Services
- Access control
- Privacy and Security Governance
For event audit logging, CA:Aud specifies:
- A standard schema for encoding a reported event
- Standard events to be reported:
- Events that are related to system activities, e.g., “Login Failure”.
- Events that are related to IHE transactions. These are described in the technical framework sections that describe the transaction.
- Event reporting messages in FHIR format using RESTful operations.
- An Audit Record Repository for collecting and reporting on the event audit logs.
Concepts
CA:Aud assumes that the actors will be installed into an environment that complies with all the security, privacy, and governance requirements.
Governance
The specific requirements for cybersecurity vary for different locations and purposes. The overall goals always include protecting confidentiality of data, integrity of data and systems, and availability of systems.
It is not practical or reasonable for CA:Aud to profile those requirements. They are too varied and cover much more than just interoperability of systems.
Event Logging
CA:Aud event audit logging is intended to provide a surveillance logging function. This means that it captures:
- All security events that are detected.
- A full set of activity and transaction events describing ongoing operations. These are used to establish a baseline for what is normal operation and are monitored for deviations from that baseline. The level of detail is subject to judgment. Details that do not matter in terms of establishing what is normal are left out, especially if they would reveal PHI.
The event logging is not designed for:
- Detailed forensic analysis, such as will be performed when surveillance reveals suspicious activity or after a security event is detected. This often needs to be at a level of detail that involves specific design aspects of specific products. CA:Aud expects that there is a forensic level log for products, and that those products document the design and specific details of their event reports. The forensic log may also use the CA:Aud schema and transactions, or it may be different.
- Workflow performance analysis log, such as is typical in tightly coordinated system controls. The CA:Aud events were chosen for privacy and security surveillance, not for system or staff performance purposes. A workflow analysis log may also use the CA:Aud schema and transactions, or it may be different.
Events
Activity
CA:Aud defines events related to activities of the IHE actors and system components that are grouped with a secure actor. These include events such as system startup, user login (both success and failure), access control violation, etc. CA:Aud requires that these be detected and reported.
These events are described in Record Audit Event [ITI-20], see sections Send Audit Resource Request Message, Trigger Events. Additional reportable events are often identified for specific events in other IHE profiles and are documented in those profiles or transactions, or they may be specified by local law, regulation, or policy.
Transaction
IHE profiles that define transactions may define events and specify the event reporting structure for those events.