IN THIS ARTICLE
This article describes auditing within ProKnow.
Note: You must have the Manage Audit Logs permission on the organization to view or download audit logs.
Understanding Auditing
Also known as an audit trail, audit logs provide a record of patient- and security-related events that have occurred within ProKnow for your organization. Generally speaking, each audit record provides information about what happened, when it happened, who initiated it and what resources were involved. If an event is related to a particular patient, the patient will also be included in the record.
Audit records are created whenever a user creates, updates, deletes, or retrieves objects within ProKnow. Additionally, security events such as login attempts, password recoveries, account lockouts and permission denials are recorded.
Records will contain a resource ID when applicable that uniquely identifies the object that was involved in the event. This is a useful key to search with when tracking all events that have occurred for a given object, such as a patient plan or structure set.
Due to the nature of the information recorded, patient protected health information (PHI) and personally identifiable information (PII) can be found in audit records. The Manage Audit Logs permission grants users access to the audit logs and hence access to patient PHI and PII. Note that granting Manage Audit Logs permission does not also grant access to PHI outside of the audit logs.
Viewing Audit Logs
To view the audit logs for your organization, click on the ProKnow icon in the top left corner of the page and select Monitoring.
Each record in the table contains:
- Type – the type of event
- Description – a brief synopsis of the event
- Date – the time that the event occurred (in your local time zone)
- Workspace – the name of the workspace that contains the object involved in the event, if applicable
- Patient – the name and medical record number of the patient involved in the event, if applicable
- Resource ID – the unique identifier of the object, if applicable
- User – the name of the user that initiated the event
The indicator in the first column of the table depicts whether the event occurred successfully (a green indicator), failed (a yellow indicator) or a possible breach was attempted (a red indicator). Additional details about the event can be found by double-clicking the record in the table.
Only records from the last 90 days can be viewed and searched. Records older than 90 days are moved to archival storage but may still be downloaded as needed.
Searching Audit Logs
To search audit records for your organization, three search tools are available in the filters toolbar. The Search tool allows for searching all text or precision searches against specific record fields, as explained in detail below. The Select Event tool allows for filtering events by their event type and the Date Range tool allows for filtering events by date.
Search Query Syntax
You can submit queries using a subset of the Lucene query syntax. The query string is parsed into a series of terms:
- A term can be a single word such as
john
ordoe
- A term can be multiple words such as
john doe
, which will match on all records containing at least one of these words - A term can be a phrase surrounded by double quotes (
"john doe"
), which will match on all records containing this exact phrase - A term prefixed with a field name (
patient_name:"john doe"
) will only match against the selected field - A term with a field name followed by a list of values (
type:[user_created, roles_queried]
) will match all values against the selected field
All search fields are case insensitive.
Field | Description | Aliases | Accepts Lists |
---|---|---|---|
type |
The coded event type* | types |
Yes |
user_id |
The identifier of the user | No | |
user_name |
The name of the user | No | |
patient_id |
The identifier of the patient | No | |
patient_mrn |
The MRN of the patient | No | |
patient_name |
The name of the patient | No | |
resource_id |
The identifier of the resource or object related to the event | No | |
resource_name |
The name of the resource or object | No | |
workspace_id |
The identifier of the workspace | No | |
workspace_name |
The name of the workspace | No | |
collection_id |
The identifier of the collection | collection |
No |
classification |
The origin of the event. "HTTP" for events originating in the ProKnow API and "AUTH" for events originating in Auth0 | class |
No |
method |
The HTTP method of the API call. Accepts lists of values | methods |
Yes |
uri |
The unique resource identifier (URI) | No | |
status_code |
The resultant HTTP status code of the API call | status_code , status , code |
Yes |
* Event types displayed in the table and Select Event dropdown can be searched on by adding an underscore between words. For example, "Patient Created" events can be searched using the query term type:patient_created
.
Event Selection
The Select Event dropdown allows you to see all possible event types and select one to filter by.
Date Range
Records can be filtered down by date by entering begin and end dates into the Date Range filter. Begin dates may not be older than 90 days.
Downloading Audit Logs
The following steps outline the process of downloading audit records to file, including records older than 90 days.
- Press the Download Logs button.
- Enter a Start Date for when to begin searching.
- Enter an End Date for when to stop searching.
- (Optional) To further filter records to download, enter values into the filter fields.
- Select a File Format to indicate the format of the logs.
- Press Download.
A ZIP file will be produced containing a file for each day within the specified date range. Note that the maximum file size for downloads is 100MB. If the 100MB download limit is reached, a NOTICE.txt file will be included in the ZIP file to indicate that download results have been truncated and the date to use in subsequent download requests to retrieve the remaining results.
Comments
Article is closed for comments.