Difference between revisions of "3.1 Auditing in OpenEMR"

From OpenEMR Project Wiki
 
 
(15 intermediate revisions by the same user not shown)
Line 1: Line 1:
'''3.1 Auditing in OpenEMR'''
== Auditing in OpenEMR ==


This section describes about the auditing in OpenEMR. This comprises of two tasks.
This section describes about the auditing in OpenEMR. This comprises of two tasks.


1. Enhancing the logging in OpenEMR
1. Enhancing the logging functionality in OpenEMR


2. Providing an "Audit Trail" GUI  
2. Providing an "Audit Trail" GUI  


The events decided to be audited are given below:
The events to be audited as per CCHIT requirements are given below:


  1. start/stop  
  1. start/stop  
Line 36: Line 36:
   
   
  14. Backup and restore
  14. Backup and restore
 
Log Format to be used is given below:
== Log Format to be used==


Date - Sys-date with time
Date - Sys-date with time
Line 46: Line 46:


User Name - Name of the user who performs the task
User Name - Name of the user who performs the task
Client certificate Name


Patient ID - Patient Identifier
Patient ID - Patient Identifier


Status - Success or Failure
Status - Success or Failure
Checksum - checksum for the current record


Description - SQL Queries passed/Other descriptions
Description - SQL Queries passed/Other descriptions


A new table can be created for this purpose
The existing table 'log' is modified to hold the above information


'''1.1 Tasks required'''
== Tasks involved ==


*a. Option to Enable/Disable the audit events  
*a. Option to Enable/Disable the audit events  
The following configurations are added in globals.php
    $GLOBALS["enable_auditlog"] = 1;
    $GLOBALS["audit_events"] = array("patient-record"=>1,
                                "scheduling"=>1,
                                "query"=>1,
                                "order"=>1,
                                "security-administration"=>1,
                                "backup"=>1,
                                );
Note: The events which were already logged by openemr are logged by default.


*b. Logging all the events mentioned above (Logging database calls - high priority)
*b. Logging all the events mentioned above (Logging database calls - high priority)


Most of the database calls are passed through "sqlInsert" function. Log function can be called from that function. The places where the database calls are not routed via "sqlInsert" can be modified.
Most of the database calls are passed through functions [sqlInsert,sqlQuery,sqlStatement,sqlQ] mentioned in sql.inc. Log function are called from these functions.


Note: The scope of this task won't include changing the existing business logic used for update (Even if a single field is used, all the data elements are passed through the update statement]
Calls from php-gacl and postnuke calander are also logged by modifying their own adodb mysql driver functions.
 
Note: The scope of this task doesn't include changing the existing business logic used for update [Currently, even if a single field is used, all the data elements are passed through the update statement]


*c. "Audit Trail" Gui - Enhancing the existing "Administration->Other->Logs (Logs Viewer)" to accomodate all the auditing events
*c. "Audit Trail" Gui - Enhancing the existing "Administration->Other->Logs (Logs Viewer)" to accomodate all the auditing events
== Sample Screen ==
This is just a sample screen shot. More features (like start date and end date) & more events need to be included.
[[File:AuditTrail.jpg|600px]]


== Links ==
== Links ==
* Associated with Sourceforge forum thread: https://sourceforge.net/projects/openemr/forums/forum/202506/topic/3500441
* Associated with Sourceforge forum thread: http://sourceforge.net/projects/openemr/forums/forum/202506/topic/3500441
 
== Status ==
Implementation completed.
 
[[Category:Certification]][[Category:Certification Stage I]]

Latest revision as of 02:46, 9 September 2012

Auditing in OpenEMR

This section describes about the auditing in OpenEMR. This comprises of two tasks.

1. Enhancing the logging functionality in OpenEMR

2. Providing an "Audit Trail" GUI

The events to be audited as per CCHIT requirements are given below:

1. start/stop 

2. User login/logout 

3. Session timeout 

4. Account lockout 

5. Patient record created/viewed/updated/deleted 

6. Scheduling 

7. Query 

8. Order 

9. node-authentication failure 

10. Signature created/validated 

11. PHI export (e.g. print) 

12. PHI import 

13. Security administration events 

14. Backup and restore

Log Format to be used

Date - Sys-date with time

Component - Acutal module/event for which the log is meant for

Type of event - Insert/Update/Delete/Query/Others

User Name - Name of the user who performs the task

Client certificate Name

Patient ID - Patient Identifier

Status - Success or Failure

Checksum - checksum for the current record

Description - SQL Queries passed/Other descriptions

The existing table 'log' is modified to hold the above information

Tasks involved

  • a. Option to Enable/Disable the audit events

The following configurations are added in globals.php

   $GLOBALS["enable_auditlog"] = 1;
   $GLOBALS["audit_events"] = array("patient-record"=>1,
                                "scheduling"=>1,
                                "query"=>1,
                                "order"=>1,
                                "security-administration"=>1,
                                "backup"=>1,
                               );

Note: The events which were already logged by openemr are logged by default.

  • b. Logging all the events mentioned above (Logging database calls - high priority)

Most of the database calls are passed through functions [sqlInsert,sqlQuery,sqlStatement,sqlQ] mentioned in sql.inc. Log function are called from these functions.

Calls from php-gacl and postnuke calander are also logged by modifying their own adodb mysql driver functions.

Note: The scope of this task doesn't include changing the existing business logic used for update [Currently, even if a single field is used, all the data elements are passed through the update statement]

  • c. "Audit Trail" Gui - Enhancing the existing "Administration->Other->Logs (Logs Viewer)" to accomodate all the auditing events

Sample Screen

This is just a sample screen shot. More features (like start date and end date) & more events need to be included.

AuditTrail.jpg

Links

Status

Implementation completed.