scope:

Electronic health records on an individual may reside in many different information systems within and across organisational or national boundaries. To keep track of all actions that involve records on an individual a common framework for audit trails is a prerequisite. ISO 27799 requires information systems containing personal health information to create a secure audit record each time a user accesses, creates, updates, or archives personal health information via the system. This audit record will, at a minimum, uniquely identify the user, uniquely identify the data subject (i.e., the patient), identify the function performed by the user (record creation, access, update, etc.), and its point in time. However, ISO 27799 does not specify the format and processes for these. Audit trails on electronic health records across different systems (including archives) need a comprehensive common framework to keep the complete set of personal health information auditable. This project will specify the minimum requirements in terms of what events and what data to include in the audit log. Minimum requirements for audit log management (e.g. retention periods) will also be given. Examples will be given of services for audit log management based on this standard.