Security Audit and Access Accountability Message XML Data Definitions for Healthcare Applications
RFC 3881
|
Document |
Type |
|
RFC - Informational
(October 2004; No errata)
|
|
Last updated |
|
2015-10-14
|
|
Stream |
|
ISE
|
|
Formats |
|
plain text
pdf
htmlized
bibtex
|
Stream |
ISE state
|
|
(None)
|
|
Consensus Boilerplate |
|
Unknown
|
|
Document shepherd |
|
No shepherd assigned
|
IESG |
IESG state |
|
RFC 3881 (Informational)
|
|
Telechat date |
|
|
|
Responsible AD |
|
Scott Hollenbeck
|
|
Send notices to |
|
rfc-editor@rfc-editor.org
|
Network Working Group G. Marshall
Request for Comments: 3881 Siemens
Category: Informational September 2004
Security Audit and Access Accountability Message
XML Data Definitions for Healthcare Applications
Status of this Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2004).
IESG Note
This RFC is not a candidate for any level of Internet Standard. The
IETF disclaims any knowledge of the fitness of this RFC for any
purpose, and notes that it has not had IETF review. The RFC Editor
has chosen to publish this document at its discretion.
Abstract
This document defines the format of data to be collected and minimum
set of attributes that need to be captured for security auditing in
healthcare application systems. The format is defined as an XML
schema, which is intended as a reference for healthcare standards
developers and application designers. It consolidates several
previous documents on security auditing of healthcare data.
Marshall Informational [Page 1]
RFC 3881 Security Audit & Access Accountability September 2004
Table of Contents
1. Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.1. Data Collection . . . . . . . . . . . . . . . . . . . . . 4
2.2. Anticipated Data End-uses . . . . . . . . . . . . . . . . 5
2.3. Conformance . . . . . . . . . . . . . . . . . . . . . . . 6
3. Goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
3.1. Effective Data Gathering. . . . . . . . . . . . . . . . . 6
3.2. Efficiency. . . . . . . . . . . . . . . . . . . . . . . . 7
4. Trigger Events. . . . . . . . . . . . . . . . . . . . . . . . . 8
4.1. Security Administration . . . . . . . . . . . . . . . . . 8
4.2. Audit Administration and Data Access. . . . . . . . . . . 9
4.3. User Access . . . . . . . . . . . . . . . . . . . . . . . 10
5. Data Definitions. . . . . . . . . . . . . . . . . . . . . . . . 13
5.1. Event Identification. . . . . . . . . . . . . . . . . . . 13
5.2. Active Participant Identification . . . . . . . . . . . . 17
5.3. Network Access Point Identification . . . . . . . . . . . 20
5.4. Audit Source Identification . . . . . . . . . . . . . . . 22
5.5. Participant Object Identification . . . . . . . . . . . . 24
6. XML Schema. . . . . . . . . . . . . . . . . . . . . . . . . . . 31
6.1. XML Schema Definition . . . . . . . . . . . . . . . . . . 31
6.2. XML Schema Localization . . . . . . . . . . . . . . . . . 43
7. Security Considerations . . . . . . . . . . . . . . . . . . . . 44
8. References. . . . . . . . . . . . . . . . . . . . . . . . . . . 44
8.1. Normative References. . . . . . . . . . . . . . . . . . . 44
8.2. Informative References. . . . . . . . . . . . . . . . . . 45
Acknowledgments. . . . . . . . . . . . . . . . . . . . . . . . . . 45
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 46
Full Copyright Statement . . . . . . . . . . . . . . . . . . . . . 47
1. Purpose
To help assure healthcare privacy and security in automated systems,
usage data needs to be collected. This data will be reviewed by
administrative staff to verify that healthcare data is being used in
accordance with the healthcare provider's data security requirements
and to establish accountability for data use. This data collection
and review process is called security auditing.
This document defines the format of the data to be collected and
minimum set of attributes that need to be captured by healthcare
application systems for subsequent use by an automation-assisted
review application. The data includes records of who accessed
healthcare data, when, for what action, from where, and which
Marshall Informational [Page 2]
RFC 3881 Security Audit & Access Accountability September 2004
patients' records were involved. The data definition is an XML
schema to be used as a reference by healthcare standards developers
and application designers.
This document consolidates previously disjointed viewpoints of
security auditing from Health Level 7 (HL7) [HL7SASIG], Digital
Imaging and Communications in Medicine (DICOM) Working Group 14,
Integrating the Healthcare Enterprise (IHE) [IHETF-3], the ASTM
International Healthcare Informatics Technical Committee (ASTM E31)
[E2147], and the Joint NEMA/COCIR/JIRA Security and Privacy Committee
Show full document text