A.5.3.11 Security Alert

This message describes any event for which a node needs to report a security alert, e.g., a node authentication failure when establishing a secure communications channel.

Note: The Node Authentication event can be used to report both successes and failures. If reporting of success is done, this could generate a very large number of audit messages, since every authenticated DICOM association, HL7 transaction, and HTML connection should result in a successful node authentication. It is expected that in most situations only the failures will be reported.

Table A.5.3.11-1 Audit Message for Security Alert

Real World Entities Field Name Opt. Value Constraints
Event EventID M EV (110113, DCM, ”Security Alert”)
EventActionCode M Shall be: E = Execute
EventDateTime M not specialized
EventOutcomeIndicator M Success implies an informative alert. The other failure values imply warning codes that indicate the severity of the alert. A Minor or Serious failure indicates that mitigation efforts were effective in maintaining system security. A Major failure indicates that mitigation efforts may not have been effective, and that the security system may have been compromised.
EventTypeCode M Values selected from DCID( 403)

Active Participant: Reporting Person and/or Process (1..2) UserID M not specialized
AlternativeUserID U not specialized
UserName U not specialized
UserIsRequestor M not specialized
RoleIDCode U not specialized
NetworkAccessPointTypeCode U not specialized
NetworkAccessPointID U not specialized
Active Participant: Performing Persons or Processes (0..N) UserID M not specialized
AlternativeUserID U not specialized
UserName U not specialized
UserIsRequestor M Shall be FALSE
RoleIDCode U not specialized
NetworkAccessPointTypeCode U not specialized
NetworkAccessPointID U not specialized

Participating Object: Alert Subject (0..N) ParticipantObjectTypeCode M Shall be: 2 = system
ParticipantObjectTypeCodeRole U Defined Terms: 5 = master file 13 = security resource
ParticipantObjectDataLifeCycle U not specialized
ParticipantObjectIDTypeCode M Defined Terms: 12 = URI (110182, DCM, “Node ID”) = Node Identifier
ParticipantObjectSensitivity U not specialized
ParticipantObjectID M For a ParticipantObjectIDTypeCode of 12 (URI), then this value shall be the URI of the file or other resource that is the subject of the alert. For a ParticipantObjectIDTypeCode of (110182, DCM, “Node ID”) then the value shall include the identity of the node that is the subject of the alert either in the form of node_name@domain_name or as an IP address. Otherwise, the value shall be an identifier of the type specified by ParticipantObjectIDTypeCode of the subject of the alert.
ParticipantObjectName U not specialized
ParticipantObjectQuery U not specialized
ParticipantObjectDetail M An element with the Attribute “type” equal to "Alert Description” shall be present with a free text description of the nature of the alert as the value
ParticipantObjectDescription U not specialized
SOPClass U See Table A.5.2-1
Accession U not specialized
NumberOfInstances U not specialized
Instances U not specialized
Encrypted U not specialized
Anonymized U not specialized