Resource Auditing

This feature monitors user access and user updates to protected health information (PHI) and personally identifiable information (PII) through the HTTP application programming interface (API). All HTTP resources that link a exchange that processes PII are monitored, that is, where exchange.integration.processesPii= true. Whenever a user or a client application retrieves one of these resources or issues an operation on one of these resources, the application creates an entry in a dedicated log.

System property ohi.logging.target determines where the system stores audit messages. Possible values:

  • log: PHI access is logged using any configured Logback Appender for which the PHI filter is applied. An example of such a Logback Appender is the RollingFileAppender.

  • database: audit messages for PHI access are persisted in the database as part of the HTTP API request and can be accessed via the generic/logphievents resource.

This feature is limited to logging the HTTP API operations on monitored resources. It does not trigger events.

The set of monitored resources is limited to the exchanges (including sub exchanges and the resources mentioned in the next section) where the indicator processesPii is set to true for the integration.

An audit log entry has the following parts:

Table 1. Resource Auditing
Key Value Description

Time stamp

When was PHI data accessed.

username

The login name of the user who performed the PHI operation.

entity id

The technical ID of the exchange.

entity code

The code of the integration that is linked to the exchange (including the version).

resource

The name of the resource that was accessed.

resource id

The technical ID of the resource that was accessed.

method

The operation (GET, PUT, POST, PATCH or DELETE) issued on the resource.

Monitored Resources

The following resources are monitored in Oracle Insurance Gateway when accessed using the generic end points.

  • Exchanges (including all the sub exchanges spawned by the parent exchanges) where exchange.integration.processesPii = true

    • Exchange Logs linked to the above exchanges.

    • Exchange Steps linked to the above exchanges.

  • File Upload Results linked to the above exchanges and exchange steps.

  • Events

    • All the Events linked to the above exchanges (linked via Exchange Events).

    • All the unmatched Events that are not linked to any exchange.

    • All the Exchange Events linked to an Event consumed by an exchange that processes PII.

  • Data File Sets linked to these exchanges.

    • Data files linked to the above data file sets.

Only the generic data files and date file sets end points are monitored as part of this process.

Examples

Exchange

Exchange

2024-12-30 17:39:42;…​;{keyword=ACCESS, user=JONES, resource=exchanges, id=2, relatedKey=SAMPLE_INTEGRATION v1, relatedId=2, method=GET}

Exchange Steps

2025-01-05 23:08:02;…​;{keyword=ACCESS, user=JONES, resource=exchangesteps, id=123, relatedKey=SAMPLE_INTEGRATION v1, relatedId=12345, method=GET}

Exchange Logs

2025-01-05 23:13:48;…​;{keyword=ACCESS, user=JONES, resource=exchangelogs, id=123, relatedKey=SAMPLE_INTEGRATION v1, relatedId=12345, method=GET}

Events

Event when it is not linked to any Exchange

2025-01-05 23:51:34;…​;{keyword=ACCESS, user=JONES, resource=events, id=12345, method=GET}

Event when there is a linked Exchange whose integration contains PII

2025-01-05 23:54:55;…​;{keyword=ACCESS, user=JONES, resource=events, id=123, relatedKey=SAMPLE_INTEGRATION v1, relatedId=12345, method=GET}

Data File Sets

Data file sets

2025-01-05 23:59:32;…​;{keyword=ACCESS, user=JONES, resource=datafilesets, id=123, relatedKey=INT_1 v123, relatedId=12345, method=GET}

Data files

2025-01-06 00:04:01;…​; {keyword=ACCESS, user=JONES, resource=datafiles, id=123, relatedKey=SAMPLE_INTEGRATION v1, relatedId=12345, method=GET}