Difference between revisions of "Auditable events and tamper-resistance (MU3)"

From OpenEMR Project Wiki
(42 intermediate revisions by the same user not shown)
Line 1: Line 1:
Regulation text:
==Status==
```
:*'''VERIFIED COMPLETE'''
§170.315 (d)(2) Auditable events and tamper-resistance—
:*Ready to sign self-declaration.
Record actions. Technology must be able to:
 
Record actions related to electronic health information in accordance with the standard specified in §170.210(e)(1);
==Notes==
Record the audit log status (enabled or disabled) in accordance with the standard specified in §170.210(e)(2) unless it cannot be disabled by any user; and
[[File:D2.png|1000px|border|link=]]
Record the encryption status (enabled or disabled) of electronic health information locally stored on end-user devices by technology in accordance with the standard specified in §170.210(e)(3) unless the technology prevents electronic health information from being locally stored on end-user devices (see paragraph (d)(7) of this section).
<br>
Default setting. Technology must be set by default to perform the capabilities specified in paragraph (d)(2)(i)(A) of this section and, where applicable, paragraphs (d)(2)(i)(B) and (d)(2)(i)(C) of this section.
<br>
When disabling the audit log is permitted. For each capability specified in paragraphs (d)(2)(i)(A) through (C) of this section that technology permits to be disabled, the ability to do so must be restricted to a limited set of users.
<br>
Audit log protection. Actions and statuses recorded in accordance with paragraph (d)(2)(i) of this section must not be capable of being changed, overwritten, or deleted by the technology.
:Issues:
Detection. Technology must be able to detect whether the audit log has been altered.```
:(d)(2)(i)(A)
:*
::*The audit log must record the information specified in sections 7.1.1 through 7.1.3 and 7.1.6 through 7.1.9 of the standard specified in ASTM E2147-18 and changes to user privileges when health IT is in use. ('''PASS''')
:::*CLARIFICATION
::::*Support for 7.1.3 (Duration of access) was dropped since was not felt to be in scope for certifying and testing to 2015 Edition Cures Update certification.
:(d)(2)(i)(B)
::*The audit log must record the information specified in sections 7.2 and 7.4 of the standard specified in ASTM E2147-18 when the audit log status is changed. Interestingly, 7.2 and 7.4 do not exist in ASTM E2147-18, but in a prior ASTM E2147-01 version used in MU2, 7.2 was 'Date and Time of Event' and 7.4 was 'User Identification'; notably there was a clarification to fix this and need to support 7.1.1 (Date and Time of access event) and 7.1.7 (User Identification). ('''PASS''')
:(d)(2)(i)(C)
::*End-user device encryption is always on per (d)(7), so not applicable. ('''PASS''')
:(d)(2)(ii)
::*All logging needs to be on by default. ('''PASS''')
:(d)(2)(iii)
::*Logging can only be disabled by a limited set of users. ('''PASS''')
:(d)(2))(iv)
::*Can not manipulate (changed, overwritten, or deleted) log. ('''PASS''')
:(d)(2))(v)
::*Need to detect manipulation of log. ('''PASS''')
 
:Final:
:*To ensure accurate time, server will need to set up a Network Time Protocol server that supports version 4 Network Time Protocol (NTP) as defined by RFC 5905.

Revision as of 04:25, 17 October 2020

Status

  • VERIFIED COMPLETE
  • Ready to sign self-declaration.

Notes

D2.png


Issues:
(d)(2)(i)(A)
  • The audit log must record the information specified in sections 7.1.1 through 7.1.3 and 7.1.6 through 7.1.9 of the standard specified in ASTM E2147-18 and changes to user privileges when health IT is in use. (PASS)
  • CLARIFICATION
  • Support for 7.1.3 (Duration of access) was dropped since was not felt to be in scope for certifying and testing to 2015 Edition Cures Update certification.
(d)(2)(i)(B)
  • The audit log must record the information specified in sections 7.2 and 7.4 of the standard specified in ASTM E2147-18 when the audit log status is changed. Interestingly, 7.2 and 7.4 do not exist in ASTM E2147-18, but in a prior ASTM E2147-01 version used in MU2, 7.2 was 'Date and Time of Event' and 7.4 was 'User Identification'; notably there was a clarification to fix this and need to support 7.1.1 (Date and Time of access event) and 7.1.7 (User Identification). (PASS)
(d)(2)(i)(C)
  • End-user device encryption is always on per (d)(7), so not applicable. (PASS)
(d)(2)(ii)
  • All logging needs to be on by default. (PASS)
(d)(2)(iii)
  • Logging can only be disabled by a limited set of users. (PASS)
(d)(2))(iv)
  • Can not manipulate (changed, overwritten, or deleted) log. (PASS)
(d)(2))(v)
  • Need to detect manipulation of log. (PASS)
Final:
  • To ensure accurate time, server will need to set up a Network Time Protocol server that supports version 4 Network Time Protocol (NTP) as defined by RFC 5905.