3.1 Auditing in OpenEMR
From OpenEMR Project Wiki
Auditing in OpenEMR
This section describes about the auditing in OpenEMR. This comprises of two tasks.
1. Enhancing the logging functionality in OpenEMR
2. Providing an "Audit Trail" GUI
The events to be audited as per CCHIT requirements are given below:
1. start/stop 2. User login/logout 3. Session timeout 4. Account lockout 5. Patient record created/viewed/updated/deleted 6. Scheduling 7. Query 8. Order 9. node-authentication failure 10. Signature created/validated 11. PHI export (e.g. print) 12. PHI import 13. Security administration events 14. Backup and restore
Log Format to be used
Date - Sys-date with time
Component - Acutal module/event for which the log is meant for
Type of event - Insert/Update/Delete/Query/Others
User Name - Name of the user who performs the task
Client certificate Name
Patient ID - Patient Identifier
Status - Success or Failure
Checksum - checksum for the current record
Description - SQL Queries passed/Other descriptions
The existing table 'log' is modified to hold the above information
- a. Option to Enable/Disable the audit events
The following configurations are added in globals.php
$GLOBALS["enable_auditlog"] = 1; $GLOBALS["audit_events"] = array("patient-record"=>1, "scheduling"=>1, "query"=>1, "order"=>1, "security-administration"=>1, "backup"=>1, );
Note: The events which were already logged by openemr are logged by default.
- b. Logging all the events mentioned above (Logging database calls - high priority)
Most of the database calls are passed through functions [sqlInsert,sqlQuery,sqlStatement,sqlQ] mentioned in sql.inc. Log function are called from these functions.
Calls from php-gacl and postnuke calander are also logged by modifying their own adodb mysql driver functions.
Note: The scope of this task doesn't include changing the existing business logic used for update [Currently, even if a single field is used, all the data elements are passed through the update statement]
- c. "Audit Trail" Gui - Enhancing the existing "Administration->Other->Logs (Logs Viewer)" to accomodate all the auditing events
This is just a sample screen shot. More features (like start date and end date) & more events need to be included.
- Associated with Sourceforge forum thread: http://sourceforge.net/projects/openemr/forums/forum/202506/topic/3500441