How do you log activity on a FHIR server?

How do you determine if suspect activity is occurring, or if someone or something is accessing your FHIR data when they shouldn’t be?

Maybe you have Smart on FHIR configured. Maybe you’re allowing direct access using a client ID and client secret via a bearer token. Maybe you’ve rolled your own access method.

This is where FHIR’s AuditEvent resource becomes useful. When used, the AuditEvent can function as an access record, presenting multiple entries for each user log in, bulk activity, or data access.

Most devs will never write code to access the AuditEvent resource. In many cases they won’t have access to it at all.

When used, it will likely be written to by some middleware that was implemented in the early days of the project, or accessed by a reporting module whose job is to flag potential problems or report on access attempts.

I often link to the HAPI test server to show sample data, but the HAPI server does not automate the creation of any AuditEvent resources.

The Firely test server does record access information in the AuditEvent resource.

Here’s an example:

And this is what some sample data looks like in a more user friendly UI:

Sample data

More about the AuditEvent resource:



Sign up to “The Tuesday FHIR Sessions” and receive an email every Tuesday where I go deep on a single FHIR topic.