Audit Logging Configuration

Best for: Practices subject to strict audit requirements (e.g., HIPAA) or those requiring detailed forensic data in the event of an incident.

Configuring Logging Level

Audit logging is configured globally via the Dermi Atlas Manager desktop application.

To change the logging level:

1. Open Dermi Atlas Manager on the host computer.
2. Navigate to Options > Advanced.
3. Locate the Activity Logging Level setting.
4. Select Essential or Full.
5. Apply the configuration.

Note: Changes to logging levels apply to future events only. Previously recorded logs retain their original detail.

Audit Log Structure

Audit logs are stored in the local database. Each entry typically contains:

• Timestamp: Exact date and time of the event.
• Actor: The account that performed the action.
• Operation Type: The specific operation (e.g., View, Create, Login, Enable 2FA).
• Resource Type: The type of object affected (e.g., patient, entry, image, account).
• Context: Reference to the affected resource or related entity.
• Metadata: Optional additional context (e.g., IP address, device information).
• Operation Data: Details of the change, including before and after states where applicable.

Accessing Audit Data

For Individual Users

Users can view their own security history to verify their account integrity:

1. Sign in to Dermi Atlas Professional.
2. Navigate to Options > Account.
3. Select Activity Logs.

For Patient History

Clinical actions related to a specific patient are viewable within the patient record:

1. Open the specific Patient Record.
2. Navigate to the Details > View Logs.
3. This view filters logs to show consent changes, image uploads, and access events relevant to that patient.

System-Wide Data

For comprehensive audits or incident response, administrators rely on the system database. Since audit logs are stored locally, they are included in all System Backups generated by Dermi Atlas Manager.

Retention and Deletion Handling

When a user or patient record is deleted, associated audit log entries are retained for 10 years (120 months) by default to satisfy both US (HIPAA) and Canadian (PHIPA/CPSO) compliance requirements. Records involving minors may require extended retention under applicable provincial or state law.

Configuring Retention Period

Administrators can configure the retention period through Dermi Atlas Manager:

1. Open Dermi Atlas Manager on the host computer.
2. Navigate to the Preferences page.
3. Locate the Data Retention Period section.
4. Enter the desired retention period (valid range: 1 to 600 months).
5. Click Save to apply the changes.

Important: Changes to the retention period apply only to records deleted after the setting is saved. Previously deleted records retain the retention period that was in effect at the time of their deletion.

For manual cleanup of records before their scheduled expiration, see Configuring Data Retention for Deleted Records.

User Deletion Levels

• Soft: Retains the user's identifier in historical logs for traceability.
• Regular: Standard cleanup; balances privacy with record integrity.
• Full: Removes user references from audit logs (may impact audit trail completeness).

Patient Deletion Levels

• Soft: Retains references to the patient ID in logs, even after the medical record is deleted.
• Regular: Standard cleanup.
• Full: Complete removal of patient references from logs.

Recommendation: For strict compliance environments, "Soft" or "Regular" deletion is often preferred to maintain a historical record of access, even after data is deleted.

Best Practices

1. Regular Reviews: Establish a schedule to review access logs for unusual activity, such as access during non-business hours or repeated failed login attempts.
2. Backup Security: Because audit logs are contained within system backups, ensure your backups are stored securely to preserve the integrity of your audit trails.
3. Capacity Planning: "Full" logging generates more data. Monitor your host computer's storage space to ensure sufficient capacity.