modifying without a trace
Post on 22-Feb-2016
24 Views
Preview:
DESCRIPTION
TRANSCRIPT
Modifying without a TraceGeneral Audit Guidelines are Inadequate for Electronic Health Record Audit Mechanisms
Jason KingBen Smith
Laurie Williams
Motivation• Policy, law, and regulations require audit
mechanisms to record and examine interactions with protected health information
• Insider attack and/or general curiosity may lead to unauthorized access to protected health information
• The health informatics field needs standards that address implementation of software audit mechanisms for ensuring accountability and non-repudiation
Chuvakin & Peterson CCHIT
SANS IEEE
7
51
3
0
0 0
0 0
0
0
00
EHR Systems Studied
Findings• Software developers for EHR systems should
focus on specific auditable events for managing protected health information, instead of basing their audit mechanisms on guidelines or checklists that contain generalized auditable event types
• Without strong audit mechanisms to ensure accountability and responsibility, healthcare software remains vulnerable to undetected misuse, both malicious and accidental, including insider threat
Version / Release Date
License Clientele Added Modules
OpenEMR 3.2.0 / February 16, 2010
General Gnu Public License
>30 million clients
None
OpenMRS 1.6.1 / March 28, 2010
OpenMRS Public License
International client base
Access Logging Module
Tolven eCHR RC1 / May 28, 2010
Lesser General Public License
US, Europe, Asia-Pacific
Performance Plugin
Satisfaction of General Auditable Eventsfor User-based Non-repudiation Auditing
EHR System Criteria Met Criteria Not Met Satisfaction PercentOpenEMR
2 14 12.5%
OpenMRS 3
13 18.75%
Tolven eCHRa 1 15 6.5%
Satisfaction of Black-box Test Casesfor User-based Non-repudiation Auditing
System Pass Fail PNM N/A TotalOpenEMR 3 37 0 18 58OpenMRS 4 23 1 30 58
Tolven eCHR 0 27 2 29 58Total 7 87 3 77 174
Percent 4.02% 50.00% 1.72% 44.25%
General Auditable
Events Evaluation
+ Combine 4 professional sources of general auditable event guidelines+ Extract 16 general auditable events influencing user-based non-repudiation
Specific Auditable
Events Evaluation
+ Use Smith & Williams (2011) systematic security black-box test approach+ Extract 58 audit test cases for specific auditable events
Analysis of Results
+ Overall lack of auditing+ Specific auditable events give a more adequate evaluation of auditing for user-based non-repudiation
•Chuvakin & Peterson’s “Logging in the Age of Web Services”•Certification Commission for Health Information Technology•SysAdmin, Audit, Network, & Security Institute•IEEE Standard for Information Technology: Hardcopy Device & System Security
top related