jackiebarnes
commented
5 years ago The following spec item documents what should be audited for the requesting system:
The wording includes: Provider systems SHALL ensure that all additions, amendments or logical deletions to administrative and clinical data made via an API is clearly identified with information regarding the provenance of the data (such as timestamp, details of consumer system, details of user (including role)), so it is clear which information has been generated through an API rather than through the provider system itself.
Consumer sys required to send JWT payload which includes "requesting_device - Device details and/or system url making the request"
Population of requesting_device = Where the request originates from a system, the Spine endpoint URL of the originating system SHALL be specified using the URL element.
The code examples include the 'Software Name' and Version
In conclusion, seems that spec only mandates the sending of the Spine endpoint URL of the consumer system, and the Provider recording in audit trail the 'details of the consumer system'
This forms part of a wider IG exercise that after discussing with Jackie Barnes that may need to be undertaken.
There are audit and provenance ‘requirements’ that are listed on the Cross organisation audit and provenance page (https://nhsconnect.github.io/gpconnect/integration_cross_organisation_audit_and_provenance.html) that need to be reviewed to see whether and if so how they can actually be met in a GPConnect context.
An example is : One particular audit test checks that the Provider system logs the consumers Product, Version and EndPoint location in the audit trail.
This requirement links back to GP-IM-3.1-5 listed in the attached IM requirements document which Providers (and Consumers) are expected to adhere to.