Healthcare security audit logging

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

Healthcare security audit logging

Moehrke, John (GE Healthcare)

To the CEE community:


I wish to inform the CEE community about a very successful security audit logging standards effort in Healthcare. The main motivation is to create a link with the CEE community and the healthcare community. This link should be a positive link for both of us. Let me explain.


We have defined an audit event description schema as well as an informative list of security relevant events. We continue to try to utilize general IT standards to transmit our events into general IT audit repositories. In this way:

a) Healthcare applications can focus on doing things with clinical data, and not spend time analyzing audit trails

b) Applications that specialize in analyzing audit trails can focus on this analysis


We are very interested in the efforts of CEE as it is the side of security audit logging that we are not interested in developing but are very reliant on.


This effort has been organized by a profiling organization: Integrating the Healthcare Enterprise (IHE). The standards we focus on:

·        Security Audit and Access Accountability Message XML Data Definitions for Healthcare Applications (RFC 3881).

o       This is currently being moved into ISO through TC 215 as (ISO/WD 27789)

o       RFC 3881 schema

·        Further vocabulary and schema is found in DICOM: Supplement 95 (ISO 12052)

·        Further specification in IHE – Audit Trail and Node Authentication Profile: IHE IT Infrastructure Technical Framework Version 2 or later

o       Vol. 1 - Section 9

o       Vol. 2 - Sections 3.19, 3.20

·  We have tried to use Reliable-Syslog, but have so far been forced to use BSD-Syslog. We are in the process of recognizing syslog-protocol family.


Our biggest problem has been that our security audit logging message is large because it is XML but also because it is fully self describing. Meaning that each event fully explains all the attributes of the event, meaning that it is unnecessary to correlate messages with previous messages like login, or subject selected, etc… We have worked with the syslog-protocol community to raise the MTU size, it is still smaller than we sometimes need.


I would be happy to answer any questions the group has on this topic.


John Moehrke
Principal Engineer: Interoperability and Security
GE Healthcare


M +1 920 912 8451

[hidden email]


9900 Innovation Drive

Mailstop 2142 

Wauwatosa, WI  53226


GE imagination at work