Overview

Recording Auditable Events

TruBridge has designed the TruBridge EHR Software with an integrated Security Audit System that records actions made to EPHI. It is these auditable events that should be periodically reviewed for their appropriateness as defined by a facility’s procedure for periodic security review.

The auditing process is enabled by default and cannot be disabled. The audit actions of Access, Query, Copy and Print will always audit. For the audit actions of Insert, Update and Delete there are 3 levels of auditing:

•Access – lowest level of detail, auditable event when a screen is accessed, but no information when data is changed. Best Practice, only non-Protected Health Information (PHI) data would utilize access only auditing.

•Transaction – middle level of detail, auditable events when an insert, update or deletion of data occurs, but no specific details of what the change was. Best Practice, lowest audit level set for any PHI data.

•Change – highest level of detail, auditable events when an insert, update or deletion of data occurred, and the specific details of the change are stored. Best Practice, audit level set for all PHI data, provided available disk space.

TruBridge has set, by default, all PHI data, to be audited at either a transaction level, or at the change level.

User facility IT system administration has the capability to change the audit level on all data to a greater or lesser extent, but cannot disable auditing as a whole. Such action to lessen the audit level of PHI should be well justified and documented. This should be done based on a thorough risk analysis, which evaluates the risks of exhausting available system disk space, against the benefits of transaction and change level auditing.

Auditable Events are recorded to the Security Audit System by authorized users of the EHR who are configured accordingly through the System Administration’s Identity Management application. Recording Auditable Events within TruBridge EHR is innocuous. The events are written to the security audit log in such a manner as to not disrupt the normal workflow and documentation conducted by users of the TruBridge EHR Software.

Once recorded, auditable events cannot be modified or changed through use of TruBridge EHR or outside TruBridge EHR as described below.

“Read only” access to auditable events is available within the Security Auditing System. This user guide describes several of the reporting mechanisms intended for use by System Administrators that may be included as part of a comprehensive review of all systems and devices that store, use and transmit EPHI at a user facility.

Ensuring Auditable Events are of High Integrity

In order to protect the integrity of auditable events, mechanisms and triggers are included within the Security Audit System to detect if the audit log database has been accessed, modified or otherwise tampered with from outside the TruBridge EHR Software in an unapproved manner.

Like the Security Audit System itself, the tamper resistance described here cannot be disabled and is always enabled. There are checks made at system start-up and periodically while TruBridge EHR is running to make sure that the tamper resistance seal itself has not be subjected to attempts to stop its functionality.

Auditable Events as part of the Complete EHR

In its design of the TruBridge EHR Software, TruBridge considers auditable events to EPHI to be as integral part of the complete EHR as the patient data itself; therefore, access to EPHI that cannot be audited securely is not allowed. As a result any attempts to access the Security Audit System from an unapproved means including attempts to disable the audit log functionality or the tamper resistance functionality are considered security attacks and may impact overall data availability to authorized users until such time that auditing capabilities with tamper resistance are in secure functioning order.

If an event as described above occurs, notifications are sent to TruBridge via Remote Communications and facilities are informed regarding the status of the audit log. Joint Security Investigations are begun by both the facility (a HIPAA Covered Entity) and TruBridge (a Business Associate).

For more information regarding the Security Audit System or other security controls included in TruBridge EHR designed to protect EPHI, please contact your TruBridge Customer Support Professional.