Modifying without a TraceGeneral Audit Guidelines are Inadequate for Electronic Health Record Audit Mechanisms

Jason KingBen Smith

Laurie Williams

Motivation• Policy, law, and regulations require audit

mechanisms to record and examine interactions with protected health information

• Insider attack and/or general curiosity may lead to unauthorized access to protected health information

• The health informatics field needs standards that address implementation of software audit mechanisms for ensuring accountability and non-repudiation

Chuvakin & Peterson CCHIT

SANS IEEE

7

51

3

0

0 0

0 0

0

0

00

EHR Systems Studied

Findings• Software developers for EHR systems should

focus on specific auditable events for managing protected health information, instead of basing their audit mechanisms on guidelines or checklists that contain generalized auditable event types

• Without strong audit mechanisms to ensure accountability and responsibility, healthcare software remains vulnerable to undetected misuse, both malicious and accidental, including insider threat

Version / Release Date

License Clientele Added Modules

OpenEMR 3.2.0 / February 16, 2010

General Gnu Public License

>30 million clients

None

OpenMRS 1.6.1 / March 28, 2010

OpenMRS Public License

International client base

Access Logging Module

Tolven eCHR RC1 / May 28, 2010

Lesser General Public License

US, Europe, Asia-Pacific

Performance Plugin

Satisfaction of General Auditable Eventsfor User-based Non-repudiation Auditing

EHR System Criteria Met Criteria Not Met Satisfaction PercentOpenEMR

2 14 12.5%

OpenMRS 3

13 18.75%

Tolven eCHRa 1 15 6.5%

Satisfaction of Black-box Test Casesfor User-based Non-repudiation Auditing

System Pass Fail PNM N/A TotalOpenEMR 3 37 0 18 58OpenMRS 4 23 1 30 58

Tolven eCHR 0 27 2 29 58Total 7 87 3 77 174

Percent 4.02% 50.00% 1.72% 44.25%

General Auditable

Events Evaluation

+ Combine 4 professional sources of general auditable event guidelines+ Extract 16 general auditable events influencing user-based non-repudiation

Specific Auditable

Events Evaluation

+ Use Smith & Williams (2011) systematic security black-box test approach+ Extract 58 audit test cases for specific auditable events

Analysis of Results

+ Overall lack of auditing+ Specific auditable events give a more adequate evaluation of auditing for user-based non-repudiation

•Chuvakin & Peterson’s “Logging in the Age of Web Services”•Certification Commission for Health Information Technology•SysAdmin, Audit, Network, & Security Institute•IEEE Standard for Information Technology: Hardcopy Device & System Security