over 4 years ago

1. 參考標準

組織 說明
IETF The Syslog Protocol. (RFC 5424)
Transmission of Syslog Messages over TLS (RFC 5425)
Transmission of Syslog Messages over UDP (RFC 5426)
Security Audit and Access Accountability Message XML Data Definitions for Healthcare Applications (RFC 3881)
DICOM PS 3 - 2011
ASTM E2147-01 Standard Specification for Audit and Disclosure Logs for Use in Health Information Systems
NIST SP 800-92 Guide to Computer Security Log Management
W3C Recommendation: Extensible Markup Language (XML) 1.0

2. Audit Record Transportation 傳輸機制

2.1. 兩種傳輸機制

  1. TLS (RFC5425) + (RFC5424)
  2. UDP (RFC5426) + (RFC5424)

Audit Record Repository 必須支援這兩種傳輸機制

2.1.1. RFC5424 範例:

RFC5424.format
<85>1 2014-04-14T09:37:52.548Z 127.0.0.1 SyslogSender 183 IHE+RFC-3881 - MSG
2.1.1.1. RFC5424 封包格式為 <PRI>HEADER - MSG
2.1.1.2. HEADER 為 VERSION TIMESTAMP HOSTNAME APP-NAME PROCID MSGID
2.1.1.2.1. VERSION 1
2.1.1.2.2. TIMESTAMP 使用到標準 RFC3339,T、Z 都需要大寫,T 是必須要的。
2.1.1.2.3. PRI,Priority Value 優先值

優先值,PRI 是由 '<','>' 所包覆的數字組成,數值是由以下公式所計算出來:

Calculating Priority Value
PRI = Facility * 8 + Severity
<85> = 10 * 8 + 5 
2.1.1.2.4. Facility levels
Facility Number Keyword Facility Description
0 kern kernel messages
1 user user-level messages
2 mail mail system
3 daemon system daemons
4 auth security/authorization messages
5 syslog messages generated internally by syslogd
6 lpr line printer subsystem
7 news network news subsystem
8 uucp UUCP subsystem
9 clock daemon
10 authpriv security/authorization messages
11 ftp FTP daemon
12 - NTP subsystem
13 - log audit
14 - log alert
15 cron clock daemon
16 local0 local use 0 (local0)
17 local1 local use 1 (local1)
18 local2 local use 2 (local2)
19 local3 local use 3 (local3)
20 local4 local use 4 (local4)
21 local5 local use 5 (local5)
22 local6 local use 6 (local6)
23 local7 local use 7 (local7)
2.1.1.2.5. Severity levels
Code Severity
0 Emergency
1 Alert
2 Critical
3 Error
4 Warning
5 Notice
6 Informational
7 Debug
2.1.1.3. MSG 為 RFC-3881 format、DICOM Audit Trail、IHE Audit Trail 等 XML 格式化資料
2.1.1.4. 其他細節:
  1. XML audit message 可能包含以 UTF-8 編碼的 Unicode 字元,AudAudit Record Repository 必須保留整個 UTF-8 編碼 8 個 bits
  2. Facility Value 應該為 10 (security/authorization messages)
  3. Severity Value 大部分應該是 5 (normal but significant),應用程式也可選擇 4 (Warning condition)
  4. Audit Record Repository 應該妥善處理任何傳入的 PRI
  5. 欄位 MSGID 應該設為 IHE+RFC-3881
  6. 欄位 MSG 應該為 XML 結構化資料並符合 RFC-3881 格式規範

2.1.2. Reliable Syslog 可靠傳輸

請參考 Java 網路程式 Socket

2.1.2.1. Syslog Message 在 UDP 傳輸 (BSD Syslog)
2.1.2.2. Syslog Message 在 TLS 傳輸

3. Audit Message Formats 傳輸格式

3.1. RFC-3881 format

A common XML schema was defined based upon joint work by IHE, HL7, DICOM, ASTM E31, and the Joint NEMA/COCIR/JIRA Security and Privacy Committee.
The IHE IT Infrastructure technical framework prefers use of this schema for audit records generated by all IHE actors.

The schema can be found in the DICOM Standard, Part 15 Annex A.5 (Available from: http://www.dclunie.com/dicom-status/status.html)

The DICOM Standard, Part 15, Annex A.5 Audit Trail Message Format Profile also provides vocabulary and further specification of the use of these schema elements for events that may occur in the context of DICOM equipment.

IHE has evaluated this and determined that it is more broadly applicable, and extended it for more general healthcare use.

3.1.1. Schem 圖例示範:

3.1.1.1. AuditMessage

3.1.1.2. AuditMessage/EventIdentification

3.1.1.3. AuditMessage/ActiveParticipant

3.1.1.4. AuditMessage/AuditSourceIdentification

3.1.1.5. AuditMessage/ParticipantObjectIdentification

3.2. DICOM Audit Trail

Secure Node actor 應該可以檢測出 DICOM standard in PS 3.16 - 2011, CID 400 和產生 DICOM standard events

3.3. IHE Audit Trail

DICOM 標準和 RFC-3881 沒有解決所有安全和隱私事件的類型,ITI TF-2a:3.20.7.5 中列舉附加 IHE 事件定義。

3.4. Other event reports

事件不符合 DICOM events 或 IHE 擴充 events 應該符合 RFC-3881。

3.5. Event

3.5.1. Event ID (Required)

3.5.1.1 類型

CodedValueType

CodedValueType
<xs:complexType name="CodedValueType">
  <xs:attribute name="code" type="xs:string" use="required"/>
  <xs:attributeGroup ref="CodeSystem"/>
  <xs:attribute name="displayName" type="xs:string" use="optional"/>
  <xs:attribute name="originalText" type="xs:string" use="optional"/>
</xs:complexType>

3.5.2. Event Action Code (Optional)

分類碼,表示審計活動執行期間的動作類型

Value Meaning
C Create
R Read/View/Print/Query
U Update
D Delete
E Execute

3.5.3. Event Date/Time (Required)

還不含糊的表示調用時間,需要符合標準 ISO8601

3.5.4. Event Outcome Indicator (Required)

指出事件是成功還是失敗

Value Meaning
0 成功
4 輕微故障; 活動重新開始,EX:嘗試重新登入密碼
8 嚴重故障; 活動終止,EX:密碼錯誤嘗試登入超過限定次數
12 重大故障; 活動不可用,EX:密碼錯誤嘗試登入嚴重到被靜止登入

3.5.5. Event Type Code (Optional)

識別事件分類

3.5.5.1 類型

CodedValueType

CodedValueType
<xs:complexType name="CodedValueType">
  <xs:attribute name="code" type="xs:string" use="required"/>
  <xs:attributeGroup ref="CodeSystem"/>
  <xs:attribute name="displayName" type="xs:string" use="optional"/>
  <xs:attribute name="originalText" type="xs:string" use="optional"/>
</xs:complexType>

3.6. Active Participant Identification

3.6.1. User ID (Required)

唯一識別碼,積極參與事件的使用者 ID

3.6.2. Alternative User ID (Optional)

唯一識別碼,另一類使用者 ID

3.6.3. User Name (Optional)

人類使用者名稱

3.6.4. User Is Requestor (Optional)

表示使用者是或不是事件審計的 Requestor

3.6.5. Role ID Code

3.6.5.1 類型

CodedValueType

CodedValueType
<xs:complexType name="CodedValueType">
  <xs:attribute name="code" type="xs:string" use="required"/>
  <xs:attributeGroup ref="CodeSystem"/>
  <xs:attribute name="displayName" type="xs:string" use="optional"/>
  <xs:attribute name="originalText" type="xs:string" use="optional"/>
</xs:complexType>

3.7. Network Access Point Identification

3.7.1. Network Access Point Type Code (Optional)

分類碼,網路存取節點的分類

Value Meaning
1 Machine Name, including DNS name
2 IP Address
3 Telephone Number

3.7.2. Network Access Point ID (Optional)

識別碼,審計事件用於所述使用者設備的網路接點。像是 IP 位址,與某些設備相關的其他識別碼。

3.8 Audit Source Identification

3.8.1. Audit Enterprise Site ID (Optional)

和健康照護企業網路的邏輯位置,多實體供應組內的一個醫院或其他供應商

3.8.2. Audit Source ID (Required)

識別碼,事件產生的來源

3.8.3. Audit Source Type Code (Optional)

分類碼,事件產生來源的類型

Value Meaning
1 End-user interface
2 Data acquisition device or instrument
3 Web server process tier in a multi-tier system
4 Application server process tier in a multi-tier system
5 Database server process tier in a multi-tier system
6 Security server, e.g., a domain controller
7 ISO level 1-3 network component
8 ISO level 4-6 operating software
9 External source, other or unknown type
3.8.3.1 類型

CodedValueType

CodedValueType
<xs:complexType name="CodedValueType">
  <xs:attribute name="code" type="xs:string" use="required"/>
  <xs:attributeGroup ref="CodeSystem"/>
  <xs:attribute name="displayName" type="xs:string" use="optional"/>
  <xs:attribute name="originalText" type="xs:string" use="optional"/>
</xs:complexType>

3.9. Participant Object Identification

3.9.1. Participant Object Type Code (Optional)

Value Meaning
1 Person
2 System Object
3 Organization
4 Other

3.9.2. Participant Object Type Code Role

Value Meaning Participant Object Type Codes
1 Patient 1 - Person
2 Location 3 - Organization
3 Report 2 - System Object
4 Resource 1 - Person
3 - Organization
5 Master file 2 - System Object
6 User 1 - Person
2 - System Object (non-human user)
7 List 2 - System Object
8 Doctor 1 - Person
9 Subscriber 3 - Organization
10 Guarantor 1 - Person
3 - Organization
11 Security User Entity 1 - Person
2 - System Object
12 Security User Group 2 - System Object
13 Security Resource 2 - System Object
14 Security Granularity Definition 2 - System Object
15 Provider 1 - Person
3 - Organization
16 Data Destination 2 - System Object
17 Data Repository 2 - System Object
18 Schedule 2 - System Object
19 Customer 3 - Organization
20 Job 2 - System Object
21 Job Stream 2 - System Object
22 Table 2 - System Object
23 Routing Criteria 2 - System Object
24 Query 2 - System Object

3.9.3. Participant Object Data Life Cycle

Value Meaning
1 Origination / Creation
2 Import / Copy from original
3 Amendment
4 Verification
5 Translation
6 Access / Use
7 De-identification
8 Aggregation, summarization, derivation
9 Report
10 Export / Copy to target
11 Disclosure
12 Receipt of disclosure
13 Archiving
14 Logical deletion
15 Permanent erasure / Physical destruction

3.9.4. Participant Object ID Type Code

Value Meaning Participant Object Type Codes
1 Medical Record Number 1 - Person
2 Patient Number 1 - Person
3 Encounter Number 1 - Person
4 Enrollee Number 1 - Person
5 Social Security Number 1 - Person
6 Account Number 1 - Person
3 - Organization
7 Guarantor Number 1 - Person
3 - Organization
8 Report Name 2 - System Object
9 Report Number 2 - System Object
10 Search Criteria 2 - System Object
11 User Identifier 1 - Person
2 - System Object
12 URI 2 - System Object
3.9.4.1 類型

CodedValueType

CodedValueType
<xs:complexType name="CodedValueType">
  <xs:attribute name="code" type="xs:string" use="required"/>
  <xs:attributeGroup ref="CodeSystem"/>
  <xs:attribute name="displayName" type="xs:string" use="optional"/>
  <xs:attribute name="originalText" type="xs:string" use="optional"/>
</xs:complexType>

3.9.5. Participant Object Sensitivity

3.9.6. Participant Object ID (Required)

3.9.7. Participant Object Name

3.9.8. Participant Object Query

3.9.8.1 類型

base64Binary

3.9.9. Participant Object Detail

3.9.9.1. 類型

TypeValuePairType

TypeValuePairType
<xs:complexType name="TypeValuePairType">
    <xs:attribute name="type" type="xs:string" use="required"/>
    <xs:attribute name="value" type="xs:base64Binary" use="required"/>
</xs:complexType>

4. 訊息示範

ITI-41 由 Docuemnt Source 提出的 Audit Messaga

ITI-41_110106.dcm.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AuditMessage xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' xsi:noNamespaceSchemaLocation='healthcare-security-audit.xsd'>
    <EventIdentification EventActionCode='R' EventDateTime='2014-04-14T15:42:27.245Z' EventOutcomeIndicator='4'>
        <EventID csd-code='110106' originalText='Export' codeSystemName='DCM' />
        <EventTypeCode csd-code='ITI-41' originalText='Provide and Register Document Set-b' codeSystemName='IHE Transactions' />
    </EventIdentification>
    <ActiveParticipant UserIsRequestor='true' UserID='fgranger' UserName='farley'>
        <RoleIDCode csd-code='USR' codeSystemName='ROLES' originalText='User' />
    </ActiveParticipant>
    <ActiveParticipant UserIsRequestor='true' UserID='1' AlternativeUserID='4356' NetworkAccessPointID='128.252.180.34' NetworkAccessPointTypeCode='2'>
        <RoleIDCode csd-code='110153' originalText='Source' codeSystemName='DCM' />
    </ActiveParticipant>
    <ActiveParticipant UserIsRequestor='false' UserID='http://ihexds.nist.gov:9080/tf6/services/xdsrepositoryb' NetworkAccessPointID='http://ihexds.nist.gov:9080/tf6/services/xdsrepositoryb' NetworkAccessPointTypeCode='2'>
        <RoleIDCode csd-code='110152' originalText='Destination' codeSystemName='DCM' />
    </ActiveParticipant>
    <AuditSourceIdentification code="1" AuditEnterpriseSiteID="" AuditSourceID="SUN PIX/PDQ" />
    <ParticipantObjectIdentification ParticipantObjectID='TestPatient1^^^&amp;&amp;1.3.6.1.4.1.21367.13.20.1000&amp;ISO' ParticipantObjectTypeCode='1' ParticipantObjectTypeCodeRole='1'>
        <ParticipantObjectIDTypeCode csd-code='2' originalText='Patient Number' codeSystemName='RFC-3881' />
    </ParticipantObjectIdentification>
    <ParticipantObjectIdentification ParticipantObjectID='1.3.6.1.4.1.21367.2010.1.2.167.1292341934274.2' ParticipantObjectTypeCode='2' ParticipantObjectTypeCodeRole='20'>
        <ParticipantObjectIDTypeCode csd-code='urn:uuid:a54d6aa5-d40d-43f9-88c5-b4633d873bdd' originalText='submission set classificationNode' codeSystemName='IHE XDS Metadata' />
    </ParticipantObjectIdentification>
</AuditMessage>
← IHE - 資訊技術基礎建設技術架構書 Otsu’s Method - 二值化 →
 
comments powered by Disqus