Browsing Audit Logs

IN THIS ARTICLE

This article describes auditing within ProKnow.

Note: You must have the Manage Audit Logs permission for your organization to view or download audit logs.

Understanding Auditing

Also known as an audit trail, audit logs provide a record of patient- and security-related events that have occurred within ProKnow for your organization. Generally speaking, each audit record provides information about what happened, when it happened, who initiated it and what resources were involved. If an event is related to a particular patient, the patient will also be included in the record.

Audit records are created whenever a user creates, updates, deletes, or retrieves objects within ProKnow. Additionally, security events such as login attempts, password recoveries, account lockouts and permission denials are recorded.

Records will contain a resource ID when applicable that uniquely identifies the object that was involved in the event. This is a useful key to search with when tracking all events that have occurred for a given object, such as a patient plan or structure set.

Due to the nature of the information recorded, patient protected health information (PHI) and personally identifiable information (PII) can be found in audit records. The Manage Audit Logs permission grants users access to the audit logs and hence access to patient PHI and PII. Note that granting Manage Audit Logs permission does not also grant access to PHI outside of the audit logs.

Viewing Audit Logs

To view the audit logs for your organization, click on the ProKnow icon in the top left corner of the page and select Monitoring.

Each record in the table contains:

  • Type – the type of event
  • Description – a brief synopsis of the event
  • Date – the time that the event occurred (in your local time zone)
  • Workspace – the name of the workspace that contains the object involved in the event, if applicable
  • Patient – the name and medical record number of the patient involved in the event, if applicable
  • Resource ID – the unique identifier of the object, if applicable
  • User – the name of the user that initiated the event

The indicator in the first column of the table depicts whether the event occurred successfully (a green indicator), failed (a yellow indicator) or a possible breach was attempted (a red indicator). Additional details about the event can be found by double-clicking the record in the table.

Only records from the last 90 days can be viewed and searched. Records older than 90 days are moved to archival storage but may still be downloaded as needed.

Searching Audit Logs

To search audit records for your organization, three search tools are available in the filters toolbar. The Search tool allows for searching all text or precision searches against specific record fields, as explained in detail below. The Select Event tool allows for filtering events by their event type and the Date Range tool allows for filtering events by date.

Search Query Syntax

You can submit queries using a subset of the Lucene query syntax. The query string is parsed into a series of terms:

  • A term can be a single word such as john or doe
  • A term can be multiple words such as john doe, which will match on all records containing at least one of these words
  • A term can be a phrase surrounded by double quotes ("john doe"), which will match on all records containing this exact phrase
  • A term prefixed with a field name (patient_name:"john doe") will only match against the selected field
  • A term with a field name followed by a list of values (type:[user_created, roles_queried]) will match all values against the selected field

All search fields are case insensitive.

Field Description Aliases Accepts Lists
type The coded event type* types Yes
user_id The identifier of the user   No
user_name The name of the user   No
patient_id The identifier of the patient   No
patient_mrn The MRN of the patient   No
patient_name The name of the patient   No
resource_id The identifier of the resource or object related to the event   No
resource_name The name of the resource or object   No
workspace_id The identifier of the workspace   No
workspace_name The name of the workspace   No
collection_id The identifier of the collection collection No
classification The origin of the event. "HTTP" for events originating in the ProKnow API and "AUTH" for events originating in Auth0 class No
method The HTTP method of the API call. Accepts lists of values methods Yes
uri The unique resource identifier (URI)   No
status_code The resultant HTTP status code of the API call status_code, status, code Yes

* Event types displayed in the table and Select Event dropdown can be searched on by adding an underscore between words. For example, "Patient Created" events can be searched using the query term type:patient_created.

Event Selection

The Select Event dropdown allows you to see all possible event types and select one to filter by.

Date Range

Records can be filtered down by date by entering begin and end dates into the Date Range filter. Begin dates may not be older than 90 days.

Downloading Audit Logs

The following steps outline the process of downloading audit records to file, including records older than 90 days.

  1. Press the Download Logs button.
  2. Enter a Start Date for when to begin searching.
  3. Enter an End Date for when to stop searching.
  4. (Optional) To further filter records to download, enter values into the filter fields.
  5. Select a File Format to indicate the format of the logs.
  6. Press Download.

A ZIP file will be produced containing a file for each day within the specified date range. Note that the maximum file size for downloads is 100MB. If the 100MB download limit is reached, a NOTICE.txt file will be included in the ZIP file to indicate that download results have been truncated and the date to use in subsequent download requests to retrieve the remaining results.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.