HL7 ballot - FHIR SecurityEvent -- Aka RESTful ATNA

I just finished reviewing in detail the FHIR SecurityEvent resource. This is part of the first FHIR DSTU ballot. This is also a resource that I championed to get added to FHIR. I did have to fight hard during the pre-ballot time to get this resource to be as compliant as possible to IHE-ATNA (DICOM) schema. I brought in extra people to add emphasis of the advantages of keeping compatible even in the light that the compatibility feels wrong. Indeed no one will argue that if we had a greenfield today, we likely would not have such an odd schema. The advantage is that it is highly flexible.

The resulting schema is not perfect match, but is a perfect functional match. It is laid out the same way, mostly has simplified names of the attributes. It couldn't be exactly perfect because they also support JSON. Nice part about the FHIR specification is that they have a page that shows mapping between the attribute names given by DICOM/ATNA and those used by FHIR.

The really good news is that my review of this FHIR resource is totally Positive. I have no negative comments and really want to express how exciting it is to have new ways (REST) to record audit events and super excited that there is now a way (REST) to query an audit record repository.

This does not replace the old IHE-ATNA (SYSLOG) model, that still has many advantages. Like many RESTful interfaces, these are best used by environments that have the RESTful tools. So it is the  tools that you have that are far more important. Also, I see FHIR SecurityEvent as something that enhances the space. I would like to see IHE-ATNA eventually updated to include this transport as a possibility.

As my part of the FHIR Connectathon, I am attempting to brush off my programming skills. Simply to create an application that can record a Disclosure. It would ask who disclosed, what they disclosed, what patient, where did the data go. It would record this explicitly as a Disclosure.  I had hoped to also be able to create an application that would use the FHIR query on SecurityEvent to create a pretty "Accounting of Disclosures" report for a specified patient.

Audit Control

• Simplifying Security Audit Standards
• Testing your ATNA Audit Log implementation
• MU Patient Engagement - Activity History Log
• Patient Data in the Audit Log
• IHE - Privacy and Security Profiles - Audit Trail and Node Authentication
• Accountability using ATNA Audit Controls 
• ATNA and Accounting of Disclosures
• ATNA audit log recording of Query transactions
• How granular does an EHR Security Audit Log need to be?
• Document Submission: Audit requirements under error conditions
• ATNA + SYSLOG is good enough