research-article

Modifying without a trace: general audit guidelines are inadequate for open-source electronic health record audit mechanisms

Authors:

Jason Tyler King,

Ben Smith,

Laurie WilliamsAuthors Info & Claims

IHI '12: Proceedings of the 2nd ACM SIGHIT International Health Informatics Symposium

Pages 305 - 314

https://doi.org/10.1145/2110363.2110399

Published: 28 January 2012 Publication History

Get Access

Abstract

Without adequate audit mechanisms, electronic health record (EHR) systems remain vulnerable to undetected misuse. Users could modify or delete protected health information without these actions being traceable. The objective of this paper is to assess electronic health record audit mechanisms to determine the current degree of auditing for non-repudiation and to assess whether general audit guidelines adequately address non-repudiation. We derived 16 general auditable event types that affect non-repudiation based upon four publications. We qualitatively assess three open-source EHR systems to determine if the systems log these 16 event types. We find that the systems log an average of 12.5% of these event types. We also generated 58 black-box test cases based on specific auditable events derived from Certification Commission for Health Information Technology criteria. We find that only 4.02% of these tests pass. Additionally, 20% of tests fail in all three EHR systems. As a result, actions including the modification of patient demographics and assignment of user privileges can be executed without a trace of the user performing the action. The ambiguous nature of general auditable events may explain the inadequacy of auditing for non-repudiation. EHR system developers should focus on specific auditable events for managing protected health information instead of general events derived from guidelines.

References

[1]

Bock, B., Huemer, D., and Tjoa, A.M., "Towards more trustable log files for digital forensics by means of Trusted computing', in AINA '10, Proceedings of the 24h IEEE International Conference on Advanced Information Networking and Applications. Perth, Australia: IEEE Press, 2010, pp.1020--1027.

Digital Library

Google Scholar

[2]

CCHIT Certified 2011 Ambulatory EHR, Certification Commission for Health Information Technology, 2011, Available: http://www.cchit.org/certify/2011/cchit-certified-2011-ambulatory-ehr.

Google Scholar

[3]

Chuvakin, A., and Peterson, G., Logging in the age of web services, IEEE Security and Privacy, vol. 7, no. 3, May 2009, pp. 82--85.

Digital Library

Google Scholar

[4]

Dixon, P., "Overview of Computer Forensics," IEEE Potentials, vol. 24, 2005, pp.7--10.

Crossref

Google Scholar

[5]

HIPAA § 164.312(b), Technical Safeguards, 2007, Available: http://edocket.access.gpo.gov/cfr_2007/octqtr/pdf/45cfr164.312.pdf.

Google Scholar

[6]

IEEE standard for information technology: Hardcopy device and system security, IEEE Standard, 2008, pp.1--177.

Google Scholar

[7]

Information system audit logging requirements, SANS Institute, 2007, Available: http://www.sans.org/security-resources/policies/info_sys_audit.pdf.

Google Scholar

[8]

Kent, K., and Souppaya, M., "Guide to Computer Security Log Management," National Institute of Standards and Technology, Gaithersburg, Maryland, USA: 2006.

Digital Library

Google Scholar

[9]

Moore, A.P., Cappelli, D.M., and Trzeciak, R.F., The "Big Picture" of Insider IT Sabotage Across U.S. Critical Infrastructures, Carnegie Mellon Software Engineering Institute. CERT Program, 2008.

Crossref

Google Scholar

[10]

Privacy Technology Focus Group: Final Report and Recommendations, United States Department of Justice Global Justice Information Sharing Initiative. September 2006, p.57.

Google Scholar

[11]

Revolutionizing health care through information technology, National Coordination Office for Information Technology Research and Development, Arlington, Virginia, USA: 2004, Available: http://www.nitrd.gov/Pitac/meetings/2004/20040617/20040615_hit.pdf.

Google Scholar

[12]

Robinson, P., Cook, N., and Shrivastava, S., "Implementing fair non-repudiable interactions with Web services," in EDOC '05, Proceedings of the 9th IEEE International Enterprise Computing Conference. 2005, pp. 195- 206.

Digital Library

Google Scholar

[13]

Schneider, F., Accountability for perfection, IEEE Security & Privacy, vol. 7, no. 2, 2009, pp. 3--4.

Digital Library

Google Scholar

[14]

Smith, B., and Williams, L., "Systematizing Security Test Planning Using Functional Requirements Phrases". North Carolina State University, Technical Report #2011--5.

Google Scholar

Cited By

View all

Nelufule LTyanai Masiya Lubinga S(2023)An analysis of the Internal Audit Function in the South African Department of DefenceInternational Journal of Research in Business and Social Science (2147- 4478)10.20525/ijrbs.v12i4.253012:4(295-303)Online publication date: 17-Jun-2023
https://doi.org/10.20525/ijrbs.v12i4.2530
Wang WLi XZhao H(2021)DCAF: Dynamic Cross-Chain Anchoring Framework using Smart ContractsThe Computer Journal10.1093/comjnl/bxab05265:8(2164-2182)Online publication date: 8-May-2021
https://doi.org/10.1093/comjnl/bxab052
Purohit SCalyam PAlarcon MBhamidipati NMosa ASalah K(2021)HonestChain: Consortium blockchain for protected data sharing in health information systemsPeer-to-Peer Networking and Applications10.1007/s12083-021-01153-yOnline publication date: 3-May-2021
https://doi.org/10.1007/s12083-021-01153-y
Show More Cited By

Index Terms

Modifying without a trace: general audit guidelines are inadequate for open-source electronic health record audit mechanisms
1. Applied computing
  1. Life and medical sciences
    1. Health care information systems

Recommendations

Log your CRUD: design principles for software logging mechanisms
HotSoS '14: Proceedings of the 2014 Symposium and Bootcamp on the Science of Security

According to a 2011 survey in healthcare, the most commonly reported breaches of protected health information involved employees snooping into medical records of friends and relatives. Logging mechanisms can provide a means for forensic analysis of user ...
Data Work in Healthcare: Challenges for Patients, Clinicians and Administrators
CSCW '18 Companion: Companion of the 2018 ACM Conference on Computer Supported Cooperative Work and Social Computing

With the wide adoption of information infrastructures in healthcare (IIH), citizens and healthcare professionals now carry out intensive "data work' as part of their healthcare and self-management practices. For example, citizens use mobile apps to ...
A Secure Multiparty Computation Solution to Healthcare Frauds and Abuses
ISMS '11: Proceedings of the 2011 Second International Conference on Intelligent Systems, Modelling and Simulation

Medical facilities are vital ingredients which can make or break lives. In such critical matters, proper management of Private Health Information (PHI) of each individual is very necessary. In many foreign countries, Information Technology has made a ...

Comments

Information & Contributors

Information

Published In

IHI '12: Proceedings of the 2nd ACM SIGHIT International Health Informatics Symposium

January 2012

914 pages

ISBN:9781450307819

DOI:10.1145/2110363

General Chairs:
Gang Luo
IBM Research, USA
,
Jiming Liu
Hong Kong Baptist University
,
Program Chair:
Christopher C. Yang
Drexel University

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 28 January 2012

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

IHI '12

Sponsor:

SIGHIT

IHI '12: ACM International Health Informatics Symposium

January 28 - 30, 2012

Florida, Miami, USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

21
Total Citations
View Citations
409
Total Downloads

Downloads (Last 12 months)20
Downloads (Last 6 weeks)0

Reflects downloads up to 23 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Nelufule LTyanai Masiya Lubinga S(2023)An analysis of the Internal Audit Function in the South African Department of DefenceInternational Journal of Research in Business and Social Science (2147- 4478)10.20525/ijrbs.v12i4.253012:4(295-303)Online publication date: 17-Jun-2023
https://doi.org/10.20525/ijrbs.v12i4.2530
Wang WLi XZhao H(2021)DCAF: Dynamic Cross-Chain Anchoring Framework using Smart ContractsThe Computer Journal10.1093/comjnl/bxab05265:8(2164-2182)Online publication date: 8-May-2021
https://doi.org/10.1093/comjnl/bxab052
Purohit SCalyam PAlarcon MBhamidipati NMosa ASalah K(2021)HonestChain: Consortium blockchain for protected data sharing in health information systemsPeer-to-Peer Networking and Applications10.1007/s12083-021-01153-yOnline publication date: 3-May-2021
https://doi.org/10.1007/s12083-021-01153-y
Rivera-Ortiz FPasquale L(2019)Towards Automated Logging for Forensic-Ready Software Systems2019 IEEE 27th International Requirements Engineering Conference Workshops (REW)10.1109/REW.2019.00033(157-163)Online publication date: Sep-2019
https://doi.org/10.1109/REW.2019.00033
Boddy AHurst WMackay MEl Rhalibi A(2019)A Hybrid Density-Based Outlier Detection Model for Privacy in Electronic Patient Record system2019 5th International Conference on Information Management (ICIM)10.1109/INFOMAN.2019.8714701(92-96)Online publication date: Mar-2019
https://doi.org/10.1109/INFOMAN.2019.8714701
King JStallings JRiaz MWilliams L(2017)To log, or not to logEmpirical Software Engineering10.1007/s10664-016-9449-122:5(2684-2717)Online publication date: 1-Oct-2017
https://dl.acm.org/doi/10.1007/s10664-016-9449-1
Idalino TSpagnuelo DMartina J(2017)Private Verification of Access on Medical Data: An Initial StudyData Privacy Management, Cryptocurrencies and Blockchain Technology10.1007/978-3-319-67816-0_6(86-103)Online publication date: 13-Sep-2017
https://doi.org/10.1007/978-3-319-67816-0_6
Spagnuelo DBartolini CLenzini G(2017)Modelling Metrics for Transparency in Medical SystemsTrust, Privacy and Security in Digital Business10.1007/978-3-319-64483-7_6(81-95)Online publication date: 27-Jul-2017
https://doi.org/10.1007/978-3-319-64483-7_6
Amir-Mohammadian SChong SSkalka C(2016)Correct Audit LoggingProceedings of the 5th International Conference on Principles of Security and Trust - Volume 963510.5555/3089491.3089501(139-162)Online publication date: 2-Apr-2016
https://dl.acm.org/doi/10.5555/3089491.3089501
Grunwel DSahama T(2016)Delegation of access in an information accountability framework for eHealthProceedings of the Australasian Computer Science Week Multiconference10.1145/2843043.2843383(1-8)Online publication date: 1-Feb-2016
https://dl.acm.org/doi/10.1145/2843043.2843383
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

Log your CRUD: design principles for software logging mechanisms

Data Work in Healthcare: Challenges for Patients, Clinicians and Administrators

A Secure Multiparty Computation Solution to Healthcare Frauds and Abuses

Comments

Published In

Sponsors

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Other Metrics

Article Metrics

Other Metrics

Cited By

Login options

Full Access

PDF

eReader

Abstract

References

Cited By

Index Terms

Recommendations

Log your CRUD: design principles for software logging mechanisms

Data Work in Healthcare: Challenges for Patients, Clinicians and Administrators

A Secure Multiparty Computation Solution to Healthcare Frauds and Abuses

Comments

Information

Published In

Sponsors

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

Login options

Full Access

View options

PDF

eReader

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations