Common use of Audit Capabilities Clause in Contracts

Audit Capabilities. ‌ Auditing and logging capabilities will permit HCA to identify, and possibly reverse, unauthorized or unintended changes to application. County of Orange Health Care Agency Page 41 MA-042-17011367 • Application must support the identification of the nature of each access and/or modification through the use of logging. • Application must employ audit capabilities to sufficiently track details that can establish accountability for each step or task taken in a clinical or operational process. • All audit logs must be protected from human alteration. • Access to logs must be limited to authorized users. • The application must employ basic query tools and reports to easily search logs. • OCHCA record retention policies must be followed. Currently OCHCA requires that this period be at least six years from the time the record was initiated. • Logging and auditing functionality must include the following: ♦ Record of who did what to which object, when and on which system. ♦ Successful/unsuccessful log-in and log-out of users. ♦ Add, modify and delete actions on data/files/objects. ♦ Read/view actions on data classified as restricted/confidential. ♦ Changes to user accounts or privileges (creation, modification, deletion). ♦ Switching to another users access or privileges after logging in (if applicable).

Audit Capabilities. ‌ Auditing and logging capabilities will permit HCA to identify, and possibly reverse, unauthorized or unintended changes to application. County of Orange Health Care Agency Page 41 MA-042-17011367 • Application must support the identification of the nature of each access and/or County of Orange MA-042-20012181 modification through the use of logging. • Application must employ audit capabilities to sufficiently track details that can establish accountability for each step or task taken in a clinical or operational process. • All audit logs must be protected from human alteration. • Access to logs must be limited to authorized users. • The application must employ basic query tools and reports to easily search logs. • OCHCA record retention policies must be followed. Currently OCHCA requires that this period be at least six years from the time the record was initiated. • Logging and auditing functionality must include the following: ♦ ◆ Record of who did what to which object, when and on which system. ♦ ◆ Successful/unsuccessful log-in and log-out of users. ♦ ◆ Add, modify and delete actions on data/files/objects. ♦ ◆ Read/view actions on data classified as restricted/confidential. ♦ ◆ Changes to user accounts or privileges (creation, modification, deletion). ♦ ◆ Switching to another users access or privileges after logging in (if applicable).

Audit Capabilities. ‌ Auditing and logging capabilities will permit HCA to identify, and possibly reverse, unauthorized County of Orange Page 43 of 53 MA-042-19011809 Health Care Agency File Folder No. C018820 or unintended changes to application. County of Orange Health Care Agency Page 41 MA-042-17011367 • Application must support the identification of the nature of each access and/or modification through the use of logging. • Application must employ audit capabilities to sufficiently track details that can establish accountability for each step or task taken in a clinical or operational process. • All audit logs must be protected from human alteration. • Access to logs must be limited to authorized users. • The application must employ basic query tools and reports to easily search logs. • OCHCA record retention policies must be followed. Currently OCHCA requires that this period be at least six years from the time the record was initiated. • Logging and auditing functionality must include the following: ♦ Record of who did what to which object, when and on which system. ♦ Successful/unsuccessful log-in and log-out of users. ♦ Add, modify and delete actions on data/files/objects. ♦ Read/view actions on data classified as restricted/confidential. ♦ Changes to user accounts or privileges (creation, modification, deletion). ♦ Switching to another users access or privileges after logging in (if applicable).