Resource Auditing
This feature monitors user access and user updates to protected health information (PHI) and personally identifiable information (PII) through the HTTP application programming interface (API). All HTTP resources that link a person to PHI and all resources that contain PII are monitored. Whenever a user or a client application retrieves one of these resources or issues an operation on one of these resources, the application creates an entry in a dedicated log.
System property ohi.logging.target
determines where the system stores audit messages. Possible values:
-
log: PHI access is logged using any configured Logback Appender for which the PHI filter is applied. An example of such a Logback Appender is the RollingFileAppender.
-
database: audit messages for PHI access are persisted in the database as part of the HTTP API request and can be accessed via the
generic/logphievents
resource.
This feature is limited to logging the HTTP API operations on monitored resources. It does not trigger events.
The set of monitored resources is limited to:
-
The person (including insurable entity and insurable person) resource and its detail resources
-
Any resource representing operational information, linked to an insurable entity or a family
An audit log entry has the following parts:
Key | Value Description |
---|---|
Time stamp |
When was PHI data accessed |
keyword |
All messages start with the tag "ACCESS" (not shown in the |
user |
The login name of the user (specified as 'system' for internal system user) |
resource |
The name of the resource that was accessed |
id |
The technical ID of the resource that was accessed |
relatedKey |
The code of the relation, family or insurable object that is in context (if applicable) |
relatedId |
The technical ID of the relation or insurable entity resource that is in context (if applicable) |
method |
The operation (GET, PUT, POST, PATCH or DELETE) issued on the resource |
Monitored Resources
The following resources are monitored in Oracle Health Insurance Value-Based Payments:
-
persons
-
addresses
-
assignedproviders
-
bankaccountnumbers
-
contractalignments
-
persontitles
-
relationidentifiers
-
-
contract events
-
contract mutations
-
attributions
-
calculation results
Examples
Persons
- persons
-
2017/03/01 15:56:02; … ; {keyword=ACCESS, user=JONES, resource=persons, id=456719800, relatedKey=MEM12345,identifierstype=12348690, method=GET}
For persons part 7 does not hold the relatedId because that is the same as part 4, the id. Instead, part 7 for persons holds the technical id of the identifiertype. |
- Addresses
-
2017/03/01 15:56:02; … ; {keyword=ACCESS, user=JONES, resource=addresses, id=656266336, relatedKey=MEM12345, relatedId=456719800, method=POST}
- assignedproviders
-
2017/03/01 15:56:02; … ; {keyword=ACCESS, user=JONES, resource=assignedproviders, id=956266336, relatedKey=MEM12345, relatedId=456719800, method=GET}
- bankaccountnumbers
-
2017/03/01 15:56:02; … ; {keyword=ACCESS, user=JONES, resource=bankaccountnumbers, id=756266336, relatedKey=MEM12345, relatedId=456719800, method=DELETE}
- persontitles
-
2017/03/01 15:56:02; … ; {keyword=ACCESS, user=JONES, resource=persontitles, id=356266336, relatedKey=MEM12345, relatedId=456719800, method=PATCH}
Insurable Entities
- insurableentities
-
2017/03/01 15:56:02; … ; {keyword=ACCESS, user=JONES, resource=insurableentities, id=256266330, relatedKey=MEM12345, relatedId=456719800, method=GET}
2017/03/01 15:56:02; … ; {keyword=ACCESS, user=JONES, resource=insurableentities, id=276266330, relatedKey=CAR12345, method=GET}
Part 6 is not logged for insurable entities that are objects, because it is identical to part 4. |
- insurablepersons
-
2017/03/01 15:56:02; … ; {keyword=ACCESS, user=JONES, resource=insurablepersons, id=2562663330, relatedKey=MEM12345, relatedId=456719800, method=GET}
Contracts
- contractalignments
-
2017/03/01 15:56:02; … ; {keyword=ACCESS, user=JONES, resource=contractalignments, id=458889800, relatedKey=MEM12345, relatedId=456719800, method=GET}
- contractevents
-
2017/03/01 15:56:02; … ; {keyword=ACCESS, user=JONES, resource=contractevents, id=956392336, relatedKey=MEM12345, relatedId=456719800, method=GET}
2017/03/01 17:58:34; … ; {keyword=ACCESS, user=JONES, resource=contractevents, id=956392337, method=GET}
- contractmutations
-
2017/03/01 15:56:02; … ; {keyword=ACCESS, user=JONES, resource=contractmutations, id=946392336, relatedKey=MEM12345, relatedId=456719800, method=GET}
2017/03/01 17:58:34; … ; {keyword=ACCESS, user=JONES, resource=contractmutations, id=946392337, method=GET}
- attributions
-
2017/03/01 15:56:02; … ; {keyword=ACCESS, user=JONES, resource=attributions, id=888392336, relatedKey=MEM12345, relatedId=456719800, method=GET}
- calculationresults
-
2017/03/01 15:56:02; … ; {keyword=ACCESS, user=JONES, resource=calculationresults, id=317392336, relatedKey=MEM12345, relatedId=456719800, method=GET}