In a healthcare organization, you must implement policies and procedures to ensure that electronic protected health information (e-PHI) is not improperly altered or destroyed. These searches show users with a large number of modification events so their activity can be monitored easily and they can be traced back quickly if any suspicious events are detected.
To optimize the searches shown below, you should specify an index and a time range. These sample searches use Cerner audit logs. You can swap out this data source for ones in use at your organization, changing field names as necessary.
To count the number of events recorded your patient record system, run the following search.
sourcetype="cerner_audit_log" | stats count BY EventName
To see the details of healthcare records that have been modified, run the following search.
sourcetype=cerner_audit_log EventType="Write/Update Results" OR EventType="Add" OR EventType="Sign" OR EventType="Modify" OR EventType="Modify Details" OR EventType="Add/Modify and Review" | convert ctime(_time) | table _time, EventType, UserName, PrsnlName, Role, EventName, NetworkAccID | rename _time AS "Date/Time", UserName AS "User ID", PrsnlName AS "Name", EventType AS "Event Type", EventName AS "Event Name", NetworkAccID AS "Workstation"
To see the modifications in a timeline, change the search to the following:
sourcetype=cerner_audit_log EventType="Write/Update Results" OR EventType="Add" OR EventType="Sign" OR EventType="Modify" OR EventType="Modify Details" OR EventType="Add/Modify and Review" | timechart count(UserName) BY EventType
Abnormal modifications events during a two-minute period
To calculate when a higher number of modifications than normal occurred, run the following search. In this case, an abnormal value is considered as 1.5 standard deviations from the average. You can change that value in the
where command to fit your needs. You can also change the
windowto a value other than two minutes.
sourcetype=Cerner_Audit_Log (EventType=Modify OR EventType=View* OR EventType=Security) ParticipantName=* UserName=* | streamstats time_window=2min count AS Mod BY EventName UserName ParticipantName | table EventName UserName ParticipantName Mod | eventstats avg(Mod) AS avg stdev(Mod) AS stdev BY UserName | where Mod > avg+(1.5*stdev) | stats values(EventName) AS actions count BY UserName | rename UserName AS user | sort - count