Resource Auditing
This feature monitors user access and user updates to protected health information (PHI) and personally identifiable information (PII) through the HTTP application programming interface (API). All HTTP resources that link a exchange that processes PII are monitored, that is, where exchange.integration.processesPii= true. Whenever a user or a client application retrieves one of these resources or issues an operation on one of these resources, the application creates an entry in a dedicated log.
System property ohi.logging.target
determines where the system stores audit messages. Possible values:
-
log: PHI access is logged using any configured Logback Appender for which the PHI filter is applied. An example of such a Logback Appender is the RollingFileAppender.
-
database: audit messages for PHI access are persisted in the database as part of the HTTP API request and can be accessed via the
generic/logphievents
resource.
This feature is limited to logging the HTTP API operations on monitored resources. It does not trigger events.
The set of monitored resources is limited to the exchanges (including sub exchanges and the resources mentioned in the next section) where the indicator processesPii
is set to true for the integration.
An audit log entry has the following parts:
Key | Value Description |
---|---|
Time stamp |
When was PHI data accessed. |
username |
The login name of the user who performed the PHI operation. |
entity id |
The technical ID of the exchange. |
entity code |
The code of the integration that is linked to the exchange (including the version). |
resource |
The name of the resource that was accessed. |
resource id |
The technical ID of the resource that was accessed. |
method |
The operation (GET, PUT, POST, PATCH or DELETE) issued on the resource. |
Monitored Resources
The following resources are monitored in Oracle Insurance Gateway when accessed using the generic end points.
-
Exchanges (including all the sub exchanges spawned by the parent exchanges) where exchange.integration.processesPii = true
-
Exchange Logs linked to the above exchanges.
-
Exchange Steps linked to the above exchanges.
-
-
File Upload Results linked to the above exchanges and exchange steps.
-
Events
-
All the Events linked to the above exchanges (linked via Exchange Events).
-
All the unmatched Events that are not linked to any exchange.
-
All the Exchange Events linked to an Event consumed by an exchange that processes PII.
-
-
Data File Sets linked to these exchanges.
-
Data files linked to the above data file sets.
-
Only the generic data files and date file sets end points are monitored as part of this process. |
Examples
Exchange
- Exchange
-
2024-12-30 17:39:42;…;{keyword=ACCESS, user=JONES, resource=exchanges, id=2, relatedKey=SAMPLE_INTEGRATION v1, relatedId=2, method=GET}
- Exchange Steps
-
2025-01-05 23:08:02;…;{keyword=ACCESS, user=JONES, resource=exchangesteps, id=123, relatedKey=SAMPLE_INTEGRATION v1, relatedId=12345, method=GET}
- Exchange Logs
-
2025-01-05 23:13:48;…;{keyword=ACCESS, user=JONES, resource=exchangelogs, id=123, relatedKey=SAMPLE_INTEGRATION v1, relatedId=12345, method=GET}
Events
- Event when it is not linked to any Exchange
-
2025-01-05 23:51:34;…;{keyword=ACCESS, user=JONES, resource=events, id=12345, method=GET}
- Event when there is a linked Exchange whose integration contains PII
-
2025-01-05 23:54:55;…;{keyword=ACCESS, user=JONES, resource=events, id=123, relatedKey=SAMPLE_INTEGRATION v1, relatedId=12345, method=GET}
Data File Sets
- Data file sets
-
2025-01-05 23:59:32;…;{keyword=ACCESS, user=JONES, resource=datafilesets, id=123, relatedKey=INT_1 v123, relatedId=12345, method=GET}
- Data files
-
2025-01-06 00:04:01;…; {keyword=ACCESS, user=JONES, resource=datafiles, id=123, relatedKey=SAMPLE_INTEGRATION v1, relatedId=12345, method=GET}