File Manager 22.2 Security & Privacy Manual

Contents > Chapter 4

Chapter 4: Auditing

Fileman includes built-in auditing tools that can provide you with valuable information. Fileman “audits” a file or field by making a note in the file’s audit log every time a change is made, or in some cases, every time the information is accessed. The ability to audit fields and files is a very important tool for any Security officer to have. However, the tool needs to be applied with common sense.

In a typically busy clinical environment, fields and files are being updated constantly. It would be impractical to try to audit them all. First, such largescale auditing would cause the audit logs to grow rapidly—rapidly enough that it might even affect the speed of the overall VISTA system. Second, once all that audit data was collected, who would have time to look at it all? You’d burn yourself out trying.

Fileman’s auditing features are best focused on critical and sensitive data, such as data dictionaries and patient records. If your facility is experiencing problems, it may be necessary to temporarily audit other files, but you should avoid a situation where you are auditing many files on a long-term basis. It is crucial to manage your audit logs.

Most of the options you will use to manage auditing at your site are in the Audit menu, which is found under Other Options in the main Fileman menu.

Select FILEMAN option: OTHER Options
Select OTHER option: AUDITing
Select AUDIT option: ?

Choose from:  
1 LIST FIELDS BEING AUDITED
2 TURN DATA AUDIT ON/OFF
3 DATA AUDIT TRAIL PURGE
4 SHOW DD AUDIT TRAIL
5 DD AUDIT TRAIL PURGE
6 MONITOR A USER

Select AUDIT option:

In VISTA, DD refers to the data dictionary. The data dictionary contains the set of attributes that defines a field. For example, the data dictionary for a NAME field might specify that it is a free text field, and contains between 5 and 30 characters.

As you can imagine, changing the data dictionary of a field could have farreaching consequences, so in Fileman 22.2, data dictionaries are always audited. The option to turn this auditing on and off has been removed from the menu.

Let’s look at each of the audit menu options in greater detail.

List Fields Being Audited

You can use this option to show which specific fields are being audited in a file, or in a range of files. You can select the files by name or by number.

Select AUDIT option: LIST fields being audited
Start with what file: PATIENT// OPTION
Go to what file: OPTION//

If you just want to look in one file, enter the same file at the “start with” and “go to” prompts. If you want to look at several files, you will need to list the file with the smaller file number first. Otherwise, Fileman gives you an error message:

Start with what file: PATIENT// OPTION
Go to what file: OPTION// RELIGION
The START WITH File Number must be less than the GO TO File Number.
START WITH What File: RELIGION//

Notice that if you do enter your files in the wrong order, Fileman helpfully gives you the smaller-numbered file as your new default, so you can enter your files in the correct order.

If the files you designate do contain audited fields, Fileman next gives you a Device prompt. If you do not see a Device prompt, you know that there were no audited fields in the files you selected.

Once you choose a device, Fileman gives you a report with the file number, field number, field name, type of field being audited, and the type of audit being performed. Currently, this option only lists audited fields at the file's top level; fields audited in a multiple don’t appear in this listing. The Fileman development team is aware of this shortcoming, and is working to add audited multiples in a future release.

The listing below shows all fields flagged for auditing in the PATIENT file.

AUDITED FIELDS   JAN 30,2013@16:13   PAGE 1
FILE NUMBER LABEL TYPE AUDIT
---------------------------------------------------------------------
         
2 .01 NAME FREE TEXT YES, ALWAYS
2 .02 SEX SET YES, ALWAYS
2 .03 DATE OF BIRTH DATE/TIME YES, ALWAYS
2 .05 MARRTAL STATUS POINTER YES, ALWAYS

This list would continue for a while, because as you can imagine, quite a few fields in the PATIENT file are audited by default.

Turn Data Audit On/Off

As the name implies, this option allows you to set up or cancel data auditing for specific fields.

Select AUDIT option: TURN data audit on/off
Audit from what file: PATIENT// ORDER
Select FIELD:

As with the “list files” option, you can select files by name or file number. Once you have selected a file, Fileman asks you which field you would like to work with. You can enter a question mark at this prompt to get a list of fields. As with files, you can choose fields by number or by name.

Select AUDIT option: TURN data audit on/off
Audit from what file: PATIENT// ORDER
Select FIELD: .01 ORDER #
Audit:

Next, Fileman asks you for a value to place in the audit field. There are three possibilities. Well, four. Okay, three and a half. Let’s explain.

One option is Yes, Always. This means that Fileman will make a note in the audit log anytime somebody touches this field (in this case, the ORDER # field). It doesn’t matter whether the user is editing, deleting, or even looking at the field; if the field is touched at all, Fileman makes a note.

Another option is Edited or Deleted. This means that Fileman will make a note in the audit log only when a user edits or deletes the value in the field. It will not make a note if the user only looks at the field.

The third option is No, which means that no auditing will take place.

Those are the three possibilities. But the audit field can also be left blank. If it’s blank, no auditing will take place. Functionally, leaving the field blank is the same as entering No.

A blank field and a No may be functionally the same, but they look different. One is an empty value, and the other is not. You can leverage this difference to add clarity to your auditing choices.

We recommend that you reserve No for times when you are overriding audit policies or guidelines set for your facility. If you simply delete whatever value is in the field, it could appear as if the field had been deleted accidentally; somebody could “helpfully” re-set the field to its old value. If you enter a No, on the other hand, it is clear that you did it on purpose; it was not an oversight. Of course, you may need to defend your position, but you won’t have to constantly undo the efforts of people “helping.”

We recommend leaving the audit field blank in all other cases where you don’t want auditing. And of course, the vast majority of the fields in your Fileman installation will not be audited; the audit field is usually blank.

Data Audit Trail Purge

You can use this option to purge the audit trail—that is, to delete the log entries created from auditing data fields for a specified file. This may sound terrifying, but it needs to be done, or else your audit logs will grow too large and start slowing down the system. The logs are not purged automatically. You will need to schedule and perform purges in accordance with your organization’s overall data-retention strategy.

If your organization’s overall data-retention strategy is “retain all audit data all the time forever and never delete anything,” then it needs to be rewritten. Hanging onto audit data forever is an understandable impulse, but it is not practical and not necessary.

Before purging an audit trail, you should turn auditing off for the field(s) whose audit trail is being purged, and then turn it back on once the purge is complete.

If that is not possible, you can leave auditing on during the purge. If you do it this way, however, Fileman will be trying to audit and purge at the same time, and the audit logs recorded during the purge may end up being incomplete. If you need to leave auditing on, it is best to run the purge when there aren’t many users in the system.

Purged audit records cannot be recovered!

When you select this option, Fileman asks you which file you would like to purge. The next prompt asks whether you want to purge all audit records for the file.

Select AUDIT option: DATA audit trail purge
Audit from what file: PATIENT// PROTOCOL
Do you want to purge all data audit records? NO// <Enter>

Usually, you will not be purging all data audit records from a file, unless it’s a file where you’re only auditing a couple of fields. If you answer No at this prompt, Fileman next asks you how to select the records to be purged. If you type a question mark at this prompt, you will see a list of possible answers.

Do you want to purge all data audit records? NO// <Enter>
Purge audit records by: INTERNAL ENTRY NUMBER// ?
Answer with FIELD NUMBER, or LABEL
Do you want the entire FIELD List? Y <Enter>
Choose from:
.001 NUMBER
.01 INTERNAL ENTRY NUMBER
.02 DATE/TIME RECORDED
.03 FIELD NUMBER
.04 USER
.05 RECORD ADDED
.06 ACCESSED
1 ENTRY NAME
1.1 FIELD NAME
2 OLD VALUE
2.1 OLD INTERNAL VALUE
2.2 DATATYPE OF OLD VALUE
2.9 PATIENT
3 NEW VALUE
3.1 NEW INTERNAL VALUE
3.2 DATATYPE OF NEW VALUE
4.1 MENU OPTION USED
4.2 PROTOCOL or OPTION USED
Type '-' in front of numeric-valued field name to sort from high to low.
Type '+' in front of field name to get SUBTOTALS by that field's values.
  '#' to PAGE-FEED on each field value, '!' to get RANKING NUMBER
  '@' to SUPPRESS SUB-HEADER, ']' to force SAVING TEMPLATE
Type ';TXT' after free-text fields to SORT NUMBERS AS TEXT
Type [TEMPLATE NAME] in brackets to SORT BY PREVIOUS SEARCH RESULTS
Type 'BY(0)' to define record selection and sort order

Selecting which fields and which records to purge is similar to the process for sorting records, as described in the Fileman 22.2 Getting Started Manual. In fact, you can even use a Sort template to select records to purge.

In the following example, we purge all audit data related to Flappy’s protocols. (Flappy is the FLAP project mascot, pictured on the title page of this manual.)

Purge audit records by: INTERNAL ENTRY NUMBER// USER
Start with USER: FIRST// FLAPPY
Go to USER: LAST// FLAPPY
  Within USER, purge audit records by: <Enter>
DEVICE: <Enter>
PURGE OF AUDIT DATA: PROTOCOL FILE   FEB 4,2013@16:10   PAGE 1
---------------------------------------------------------------------

...
0 POINTERS FIXED.

2 RECORDS PURGED.

As we mentioned earlier, it is not typical to purge all data audit records associated with a file. In fact, if you answer Yes at this prompt, Fileman asks if you are sure.

Audit from what file: PATIENT// <Enter>
Do you want to purge all data audit records? NO// YES
Are you sure? NO// YES
DELETED

The above dialog represents a really bad idea. Do not purge all data audit records from the PATIENT file unless you have a truly dire emergency. Purges from the PATIENT file, in particular, need to be done with care.

Show Data Dictionary Audit Trail

Beginning with Fileman 22.2 all data dictionaries are automatically audited. This function cannot be disabled. There are a couple of reasons for this: first, changing the way files are defined can have a profound effect on the integrity of the data. And second, since the data dictionary isn’t (or shouldn’t be) modified that often, its audit trail isn’t going to grow too large too soon.

Also new in Fileman 22.2 is this option to view the audit trail for the entire data dictionary.

Select AUDIT option: SHOW DD audit trail
Show Data Dictionary changes since: First// <Enter>
DEVICE: HOME//

If you do begin with the first change as shown above, you probably will end up with quite a few entries to look at. You may want to send this to the Browser, if it is available. Of course, if you have an idea of the time frame you want to review, you can cut the list down by entering a date at the “show changes since” prompt.

If you would like to see the data-dictionary audits for just one or two files, you can use the Inquire to File Entries or Print File Entries option, as described in the “Other Auditing Options” section of this chapter.

Data Dictionary Audit Trail Purge

This option allows you to purge the data-dictionary audit trail, much as the Data Audit Trail Purge allows you to purge the audit trail from fields. Unlike the Data Audit Trail Purge, however, this option does not need to be run regularly. Unless your site is doing something really unusual, your programmers will not be messing with the data dictionary all that much. Purging the data-dictionary audit trail won’t free up much space on the system, so there’s little reason to do it very often.

If you do decide to purge this audit trail, here’s what it will look like:

Select AUDIT option: DD AUDIT trail purge
Audit from what File: PROTOCOL// LANGUAGE
Select LANGUAGE SUB-FILE: <Enter>
DO YOU WANT TO PURGE ALL DD AUDIT RECORDS? NO//

If you answer Yes to this final prompt, the specified data dictionary’s audit trail will be purged. Remember that a purge is permanent; there is no way to undo it.

Monitoring a User

This option is new to Fileman 22.2, and was created to address the need for greater oversight of patient-privacy issues. Through this option, you can use Fileman’s audit trails to review the activities of a single user. Keep in mind that you will only be able to see the user’s activities in fields and files that have auditing turned on; if a user has been accessing or editing an unaudited file, you will have no way of seeing that activity.

Let’s see what Flappy’s been up to. (For those of you skipping around in the manual, Flappy is the FLAP project mascot, pictured on the title page.)

Select AUDIT Option: MONITOR A USER
Select a USER who has signed on to this system: FLAPPY
Select AUDITED File: PATIENT
Start with DATE: FIRST// <Enter>
DEVICE: HOME//

Once we select the user, Fileman prompts us for the file, and where we want to start. Note that if you are auditing someone whose job role includes making frequent changes to the database, starting with the FIRST date as in the example above will give you a lot of data. It’s probably better to narrow your search a little, and you may want to send results to the Browser.

Here is what the results look like:

PATIENT RECORDS ACCESSED BY FLAPPY (DUZ=00)   Page 1
  EARLIEST ACCESS LATEST ACCESS
---------------------------------------------------------------------
FMPATIENT,EIGHT DEC 6,2012@14:24:21 DEC 6,2012@14:24:35
FMPATIENT,FIFTEEN DEC 6,2012@14:22:45 DEC 6,2012@14:23:02
FMPATIENT,NINETEEN DEC 6,2012@14:20:49 DEC 6,2012@14:21:10
FMPATIENT,TWENTY DEC 6,2012@14:18:41 DEC 6,2012@14:19:04

Other Auditing Options

Although most auditing options are accessible through the Audit submenu, some are not. In this section, we outline auditing-related features accessible through other menus.

Viewing a Data Audit Trail

You can use the Inquire to File Entries or Print File Entries options on the main Fileman menu to query the AUDIT file to obtain audit information. A general discussion of how to use these options can be found in the Fileman 22.2 Getting Started Manual.

When you choose AUDIT as the file to be printed (or inquired to), the next prompt asks, again, for the name of a file. In this case it is the file for which you wish to view audit data.

Let’s see what happens when we use Inquire to File Entries:

Select option: INQUIRE TO FILE ENTRIES
Output from what File: PATIENT// AUDIT
Audit from what File: PATIENT// <Enter>
Select PATIENT AUDIT: ?
Answer with PATIENT AUDIT NUMBER, or INTERNAL ENTRY NUMBER, or DATE/TIME RECORDED, or USER
  Do you want the entire 103-Entry PATIENT AUDIT List?

Wow. If we want to use Inquire to File Entries, we need to know the exact audit number, or date and time, or record number, of the audit we want to see. We could also inquire by user, but remember that there is already a “monitor a user” option in the Audit submenu, which is probably a better way to do that kind of inquiry. If we don’t have the information we want, we have to pick it out of the entire audit list. And it is probably worth noting that the dialog captured above is from a development environment, not an actual clinical environment. Odds are, your PATIENT audit file has a lot more than 103 entries.

So, unless you know exactly what you’re looking for, Inquire to File Entries is probably not the option you want.

Let’s try Print File Entries instead:

Select option: PRINT FILE ENTRIES
Output from what File: PATIENT// AUDIT
Audit from what File: PATIENT// <Enter>
Sort by: INTERNAL ENTRY NUMBER// DATE/TIME RECORDED
Start with DATE/TIME RECORDED: FIRST// 12/3/2012
Go to DATE/TIME RECORDED: LAST// 12/5/2012
Within DATE/TIME RECORDED, Sort by: <Enter>
First Print FIELD: [CAPTIONED
Include COMPUTED fields: (N/Y/R/B): NO// <Enter>
Heading (S/C): AUDIT List// <Enter>
START at PAGE: 1// <Enter>
DEVICE: HOME//

This is probably closer to the kinds of audit searches you’ll be doing. Using Print File Entries, we are able to sort the audits by date, and narrow our search to a three-day period. (For a general discussion of how to use the Print File Entries option, please consult the Fileman 22.2 Getting Started Manual). If we choose the CAPTIONED template, as shown above, our results will look something like this:

AUDIT List FEB 19,2013@16:06 PAGE 1
---------------------------------------------------------------------
       
NUMBER: 1 INTERNAL ENTRY NUMBER: 1
  DATE/TIME RECORDED: DEC 4,2012@12:56:39
  FIELD NUMBER: .01 USER: TESTMASTER,USER
  RECORD ADDED: Added Record MENU OPTION USED: DG LOAD
PATIENT DATA  
 
NUMBER: 2 INTERNAL ENTRY NUMBER: 1
  DATE/TIME RECORDED: DEC 4,2012@12:56:40
  FIELD NUMBER: .02 USER: TESTMASTER,USER
  NEW INTERNAL VALUE: M DATATYPE OF NEW VALUE: RSa
  MENU OPTION USED: DG LOAD PATIENT DATA

The data would go on for some time, of course, but that is how it would look. Remember that you can send your results to the Browser (if it is enabled), which may be preferable if you think you’re going to get a lot of data.

Viewing a Data Dictionary Audit Trail

The Audit submenu includes an option for viewing the entire data dictionary audit trail, for all files. If you are interested in the data dictionary audit for only one or two files, however, you can use Inquire to File Entries or Print File Entries to see the information you want:

Select option: INQUIRE TO FILE ENTRIES
Output from what File: DD AUDIT
Audit from what File: PATIENT
Select PATIENT sub-file:

We didn’t see the “sub-file” prompt when looking at the data audit trail, but we do see it for the data dictionary audit trail. If we specify a subfile, for example ALIAS, then Fileman will show us the data dictionary audit for just the ALIAS subfile. If we do not specify a subfile, the Fileman will only show us the data-dictionary audit trail for the top level of the PATIENT file; no subfiles will be included. If we want to inquire on the PATIENT file and all the subfiles, we will need to do those as separate queries.

As with the data audit trail, we would next be prompted for which specific audit we would like to see. If you aren’t sure which audit you want to look at, then Print File Entries is probably a better option.

Setting a Data Field Audit–Modify File Attributes

We have already seen how to turn data auditing on and off by using the aptly-named Turn Data Audit On/Off option. There is another Fileman option that can be used to turn data audit on and off, although you may not have permission to use it. The option is Modify File Attributes, and it allows a user (usually a programmer) to change the data dictionary settings for a specific file and field. One of those settings is “auditing,” so programmers could use this option to change the auditing value in a particular field. For example, a programmer could change the auditing from “yes, always” to “edited or deleted.”

Presumably, a programmer would have a good reason for making such a change. Your facility should have a procedure for when and how programmers can turn data auditing off and on using this option.

[return]