Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
ISO 27789: Health Informatics — Audit Trails for Electronic Health Records
A comprehensive guide to the international standard for EHR audit logging, covering trigger events, audit record formats, secure management, and cross-domain interoperability.
ISO 27789:2021 establishes a common framework for audit trails in electronic health records (EHR), specifying the audit trigger events, audit data content, and secure management requirements necessary to keep personal health information auditable across information systems and organizational domains. Developed by ISO/TC 215 (Health Informatics) in collaboration with CEN/TC 251, this second edition harmonizes the audit record format with DICOM and updates the guidance to reflect contemporary interoperability requirements.
Trust in EHR systems depends on robust audit capabilities. ISO 27789 provides the architectural blueprint for logging every access, query, creation, update, and archival action on protected health information.
1. Trigger Events and Audit Record Architecture
The standard defines a comprehensive set of trigger events that must generate audit records. These fall into two primary categories: access events (read, create, update, delete, archive) and query events (database searches, report generation). Each audit record follows a rigorous structure containing five core data groups: event identification, user identification, access point identification, audit source identification, and participant object identification.
| Data Group | Key Elements | Purpose |
|---|---|---|
| Event Identification | Event ID, action code, date/time, outcome indicator, event type code | Identifies what happened and when |
| User Identification | User ID, alternative ID, user name, role ID, purpose of use | Identifies who performed the action |
| Access Point Identification | Network access point type, network access point ID | Identifies from where the action originated |
| Audit Source Identification | Enterprise site ID, audit source ID, source type code | Identifies which system generated the record |
| Participant Object Identification | Object type, role, ID type, sensitivity, lifecycle event | Identifies which record(s) were affected |
The event action code uses the IETF RFC 3881 framework, distinguishing between Create (C), Read (R), Update (U), Delete (D), and Execute (E) operations. The event outcome indicator captures success (0), minor failure (4), serious failure (8), or major failure (12).
2. Cross-Domain Interoperability and Purpose of Use
A key innovation in ISO 27789 is its explicit support for audit trails that span organizational boundaries. The participant object identification includes a “participant object Permission PolicySet” field that references the governing access policy, allowing audit records from different domains to be interpreted correctly within their respective policy contexts.
The “purpose of use” field is critical for privacy compliance. Every audit record must capture the stated reason for accessing the health record (e.g., direct care, emergency treatment, research, quality assurance, or administrative purposes). This enables retrospective audits to detect inappropriate access patterns.
The standard also addresses patient identification sensitivity. Each EHR segment may carry a sensitivity designation reflecting the potential harm from unauthorized disclosure, ranging from routine clinical data to highly sensitive information such as mental health records, HIV status, or genetic information.
3. Secure Management of Audit Data
ISO 27789 dedicates substantial attention to the security of the audit system itself. Key requirements include:
| Security Requirement | Implementation Guidance |
|---|---|
| Availability | Redundant audit servers, backup power, regular backup cycles; audit system must continue functioning even if the primary EHR system fails |
| Integrity | Write-once-read-many (WORM) storage, cryptographic hashing of audit records, digital signatures on audit log batches |
| Confidentiality | Access controls on audit data, encryption of audit records containing identifiers, role-based access to audit review tools |
| Retention | Audit records retained per jurisdictional requirements (typically 5-30 years); active vs. archived storage with different access policies |
| Separation of Duties | Administrators who manage the EHR system should not have unrestricted access to audit logs; independent audit review function recommended |
ISO 27789 provides the specification for implementing a defense-in-depth audit infrastructure. The audit system is logically and physically distinct from the EHR system being monitored, ensuring that even a compromised EHR cannot conceal its own compromise.
Frequently Asked Questions
Q1: How does ISO 27789 relate to HIPAA audit requirements?
A: While ISO 27789 is an international standard and HIPAA is US-specific, they share common principles. ISO 27789 provides more detailed technical specifications for audit record content and structure.
A: While ISO 27789 is an international standard and HIPAA is US-specific, they share common principles. ISO 27789 provides more detailed technical specifications for audit record content and structure.
Q2: Does ISO 27789 require that every data field change be logged?
A: No. The standard explicitly states it is limited to event logging. Data value changes are handled by the EHR database itself.
A: No. The standard explicitly states it is limited to event logging. Data value changes are handled by the EHR database itself.
Q3: What is the relationship between ISO 27789 and HL7 FHIR audit events?
A: The standard harmonizes with the DICOM audit record format, the foundation for IHE ATNA (Audit Trail and Node Authentication) profile used with HL7 FHIR.
A: The standard harmonizes with the DICOM audit record format, the foundation for IHE ATNA (Audit Trail and Node Authentication) profile used with HL7 FHIR.
Q4: Can ISO 27789 be applied to non-healthcare record systems?
A: The audit framework is adaptable to other personal information systems. The trigger event taxonomy, audit record structure, and security management principles are broadly applicable.
A: The audit framework is adaptable to other personal information systems. The trigger event taxonomy, audit record structure, and security management principles are broadly applicable.
4. Audit Record Schema and Data Modelling
The audit record schema in ISO 27789 follows a structured data model designed for machine-readable processing and cross-system interoperability. Each audit record is composed of five mandatory data groups with optional sub-elements that allow implementation-specific extensions without breaking compatibility. The event identification data group uses a two-level coding scheme: the top-level event action code (C, R, U, D, E) combined with an event type code that provides domain-specific context.
The standard defines event type codes covering the full lifecycle of health information management, including patient record creation (code 110100), patient record amendment (code 110101), patient record query (code 110120), patient identifier merge (code 110130), and consent directive management (code 110150). For privacy auditing, the “purpose of use” field within the user identification data group is mapped to the IETF RFC 3881 value set covering direct care, emergency treatment, population health, quality improvement, research, and administrative purposes.
The participant object identification data group is the most structurally complex component of the audit record, supporting nested object references for hierarchical health information structures. A single clinical interaction may involve multiple participant objects: the patient record itself, individual document sections, referenced laboratory results, and attached images. Each participant object carries its own sensitivity designation, allowing fine-grained audit of access to particularly sensitive sub-components of the health record.
When implementing ISO 27789 audit trails, use the participant object sensitivity field to flag records containing mental health notes, genetic information, or HIV-related data. This enables automated alerting when users without explicit authorisation access these high-sensitivity record segments, supporting compliance with GDPR Article 9 and equivalent privacy regulations worldwide.
5. Integration with Existing Healthcare Architectures
ISO 27789 is designed to integrate with established healthcare interoperability frameworks. The audit record format is harmonised with the DICOM audit message format, which means that Picture Archiving and Communication Systems (PACS) and Radiology Information Systems (RIS) can generate audit records that are structurally identical to those from EHR systems. This harmonisation is formalised through the IHE Audit Trail and Node Authentication (ATNA) profile, which references ISO 27789 as the normative specification for audit record content.
For health information exchanges (HIEs) and regional health information organisations (RHIOs), the cross-domain audit capability defined in Annex A of the standard provides a mechanism for maintaining end-to-end audit visibility when patient records are accessed across organisational boundaries. Each participating organisation maintains its own audit repository, but the standardised audit record format allows centralised audit review tools to aggregate and correlate audit events from multiple sources using the patient identifier and enterprise site ID as correlation keys.
The standard also addresses the emerging requirements for patient-accessible audit logs mandated by regulations such as the GDPR (right of access, Article 15) and the 21st Century Cures Act Information Blocking provisions. Patients must be able to request and receive a list of all accesses to their health record within a specified time period. ISO 27789-compliant audit systems can generate these patient-facing audit reports directly from the structured audit data, with appropriate filtering to remove security-related operational data that is not relevant to the patient.
For health IT architects planning EHR system deployments, implementing ISO 27789 from the outset is significantly more cost-effective than retrofitting audit capabilities after deployment. The standard’s structured data model supports event correlation, automated threat detection, regulatory compliance reporting, and patient access portals from a single audit infrastructure.
6. Threat Detection and Security Analytics
Beyond basic logging, ISO 27789 provides the data foundation for advanced security analytics in healthcare environments. By capturing the purpose of use, access point identification, and user role for every audit event, the audit trail enables behavioural analysis to detect anomalous access patterns. For example, a clinician accessing patient records outside their normal working hours, from an unusual network location, or querying records of patients not in their assigned care team would generate events that can be flagged for review.
The outcome indicator field (success, minor failure, serious failure, major failure) enables automated monitoring of system health and attempted security violations. A cluster of serious or major failures from a single access point may indicate a brute-force attack on the EHR system. The audit source identification field ensures that attacks targeting specific sub-systems (laboratory information system, pharmacy system, or radiology system) can be correlated even when the attacker moves laterally across the network.
For compliance officers and security architects, the standard’s requirements for separation of duties in audit management are particularly important. The audit system administrator role must be distinct from the EHR system administrator role, preventing a compromised administrator from concealing their actions by altering the audit trail. Cryptographic hashing of audit records at creation time, with periodic hash chain verification, provides tamper-evident protection that satisfies evidentiary standards for legal proceedings.
