3.1 Auditing in OpenEMR

This section describes about the auditing in OpenEMR. This comprises of two tasks.

1. Enhancing the logging in OpenEMR

2. Providing an "Audit Trail" GUI

The events decided to be audited are given below:

1. start/stop 

2. User login/logout 

3. Session timeout 

4. Account lockout 

5. Patient record created/viewed/updated/deleted 

6. Scheduling 

7. Query 

8. Order 

9. node-authentication failure 

10. Signature created/validated 

11. PHI export (e.g. print) 

12. PHI import 

13. Security administration events 

14. Backup and restore

Log Format to be used is given below:

Date - Sys-date with time

Component - Acutal module/event for which the log is meant for

Type of event - Insert/Update/Delete/Query/Others

User Name - Name of the user who performs the task

Patient ID - Patient Identifier

Status - Success or Failure

Description - SQL Queries passed/Other descriptions

A new table can be created for this purpose

1.1 Tasks required

• a. Option to Enable/Disable the audit events

• b. Logging all the events mentioned above (Logging database calls - high priority)

Most of the database calls are passed through "sqlInsert" function. Log function can be called from that function. The places where the database calls are not routed via "sqlInsert" can be modified.

Note: The scope of this task won't include changing the existing business logic used for update (Even if a single field is used, all the data elements are passed through the update statement]

• c. "Audit Trail" Gui - Enhancing the existing "Administration->Other->Logs (Logs Viewer)" to accomodate all the auditing events

Links

• Associated with Sourceforge forum thread: https://sourceforge.net/projects/openemr/forums/forum/202506/topic/3500441