3.2 ATNA related tasks
From OpenEMR Project Wiki
2. User login/logout
3. Session timeout
4. Account lockout
5. Patient record created/viewed/updated/deleted
9. node-authentication failure
10. Signature created/validated
11. PHI export (e.g. print)
12. PHI import
13. Security administration events
14. Backup and restore
ATNA Tasks [This is based on our current understanding]
a. Synchronize Time with the Time Server ["Consistent Time" http://www.hitsp.org/ConstructSet_Details.aspx?&PrefixAlpha=3&PrefixNumeric=16]
Synchronizing time with the Time Server using Network Time Protocol (NTP) or Simple Network Time Protocol (SNTP) algorithms. We assume that this transaction is already implemented in HIE. We just need to use it to synchronize the time.
How to use it ? - Need to be explored
b. Connect to the Audit Repository using certificate based authentication
c. 'Record Audit Event' transaction
c1. Format the Audit messages according to RFC 3881
Audit the different activities at the EHR system and generates the XML messages as per RFC 3881 (Security Audit Message XML Data Definition)
c2. Transmit the audit messages to an "Audit Repository" using syslog protocol dynamically
Connect to the Audit Repository (through SSL), sends the "syslog header" and then sends the XML message body.
Approach 1: Using tools present in openhealthtools. OpenEMR would have to fork-and-exec a new Java process every time a new audit entry is made. This approach is not recommended.
Approach 2 [Recommended Approach]
We can write some PHP functions that perform the same actions (XML and syslog transport).
Here is some of the OpenEMR code changes needed:
- In globals.php, specify the hostname:port of the audit repository (Ex: vicare.visolve.com:514).
- Have a function create_audit_rfc3881_msg() that takes the audit entry details (username, event type, etc) and generates an XML message.
- Have a function send_audit_rfc5242_msg() that makes an SSL connection to the audit repository, sends the "syslog header", and then sends the XML message body
Currently we are working on 'Approach 2'
1. Does the events specified above looks ok for ATNA? Or do we need to consider anything extra?
2. The Audit Trail and Node Authentication Integration Profile requires only local user authentication. What is the User ID we need to provide to HIE?
3. Does our understanding of the ATNA tasks (mentioned above) correct?
2. Product Certification Standards - http://health.state.mn.us/ehealth/standards/certrecs102609.pdf
3. Audit Trail and Node Authentication - http://www.ihe.net/Participation/upload/IHE-ITI-ATNA-CT-08.ppt
5. About ATNA - http://www.waset.org/journals/waset/v54/v54-33.pdf
Associated with sourceforge forum: http://sourceforge.net/projects/openemr/forums/forum/202506/topic/3506734