A.5.3 DICOM specific audit messages

The following subsections define message specializations for use by implementations that claim conformance to the DICOM Audit Trail Profile. Any field (i.e., XML element and associated attributes) not specifically mentioned in the following tables shall follow the conventions specified in A.5.1 and A.5.2.

An implementation claiming conformance to this Profile that reports an activity covered by one of the audit messages defined by this Profile shall use the message format defined in this Profile. However, a system claiming conformance to this Profile is not required to send a message each time the activity reported by that audit message occurs. It is expected that the triggering of audit messages would be configurable on an individual basis, to be able to balance network load versus the severity of threats, in accordance with local security policies.

Notes: 1. It is a system design issue outside the scope of DICOM as to what entity actually sends an audit event and when. For example, a Query message could be generated by the entity where the query originated, by the entity that eventually would respond to the query, or by a monitoring entity not directly involved with the query, but that generates audit messages based on monitored network traffic.

2. To report events that are similar to the events described here, these definitions can be used as the basis for extending the schema.

In the subsequent tables, the information entity column indicates the relationship between real world entities and the information elements encoded into the message.

A.5.3.1 Application Activity

This audit message describes the event of an Application Entity starting or stopping. This is closely related to the more general case of any kind of application startup or shutdown, and may be suitable for those purposes also.

Table A.5.3.1 – 1 Application Activity Message

Real World Entities Field Name Opt. Value Constraints
Event EventID M EV (110100, DCM,”Application Activity”)
EventActionCode M Enumerated Value E = Execute
EventDateTime M not specialized
EventOutcomeIndicator M not specialized
EventTypeCode M DT (110120, DCM, “Application Start”) DT (110121, DCM, “Application Stop”)

Active Participant: Application started (1) UserID M The identity of the process started or stopped formatted as specified in A.5.2.1.
AlternativeUserID MC If the process supports DICOM, then the AE Titles as specified in A.5.2.2.
UserName U not specialized
UserIsRequestor M not specialized
RoleIDCode M EV (110150, DCM, “Application”)
NetworkAccessPointTypeCode U not specialized
NetworkAccessPointID U not specialized

Active Participant: Persons and or processes that started the Application (0..N) UserID M The person or process starting or stopping the Application
AlternativeUserID U not specialized
UserName U not specialized
UserIsRequestor M not specialized
RoleIDCode M EV (110151, DCM, “Application Launcher”)
NetworkAccessPointTypeCode U not specialized
NetworkAccessPointID U not specialized

No Participant Objects are needed for this message.

A.5.3.2 Audit Log Used

This message describes the event of a person or process reading a log of audit trail information.

Note: For example, an implementation that maintains a local cache of audit information that has not been transferred to a central collection point might generate this message if its local cache were accessed by a user.

Table A.5.3.2-1 Audit Log Used Message

Real World Entities Field Name Opt. Value Constraints
Event EventID M EV (110101, DCM, “Audit Log Used”)
EventActionCode M Shall be enumerated value: R = read
EventDateTime M not specialized
EventOutcomeIndicator M not specialized
EventTypeCode U not specialized
Active Participant: Persons and or processes that started the Application (1..2) UserID M The person or process accessing the audit trail. If both are known, then two active participants shall be included (both the person and the process).
AlternativeUserID U not specialized
UserName U not specialized
UserIsRequestor M not specialized
RoleIDCode U not specialized
NetworkAccessPointTypeCode U not specialized
NetworkAccessPointID U not specialized
Participating Object: Identity of the audit log (1) ` ParticipantObjectTypeCode M Shall be: 2 = system
ParticipantObjectTypeCodeRole M Shall be: 13 = security resource
ParticipantObjectDataLifeCycle U not specialized
ParticipantObjectIDTypeCode M Shall be: 12 = URI
ParticipantObjectSensitivity U not specialized
ParticipantObjectID M The URI of the audit log
ParticipantObjectName U Shall be: “Security Audit Log”
ParticipantObjectQuery U not specialized
ParticipantObjectDetail U not specialized
ParticipantObjectDescription U not specialized
SOPClass U See A.5.2
Accession U See A.5.2
NumberOfInstances U See A.5.2
Instances U See A.5.2
Encrypted U See A.5.2
Anonymized U See A.5.2
ParticipantObjectContainsStudy U See A.5.2

A.5.3.3 Begin Transferring DICOM Instances

This message describes the event of a system beginning to transfer a set of DICOM instances from one node to another node within control of the system’s security domain. This message may only include information about a single patient.

Note: A separate Instances Transferred message is defined for transfer completion, allowing comparison of what was intended to be sent and what was actually sent.

Table A.5.3.3 – 1 Audit Message for Begin Transferring DICOM Instances

Real World Entities Field Name Opt. Value Constraints
Event EventID M EV (110102, DCM, “Begin Transferring DICOM Instances”)
EventActionCode M Shall be: E = Execute
EventDateTime M not specialized
EventOutcomeIndicator M not specialized
EventTypeCode U not specialized

Active Participant: Process Sending the Data (1) UserID M The identity of the process sending the data.
AlternativeUserID U not specialized
UserName U not specialized
UserIsRequestor M not specialized
RoleIDCode M EV (110153, DCM, “Source Role ID”)
NetworkAccessPointTypeCode U not specialized
NetworkAccessPointID U not specialized

Active Participant: Process receiving the data (1) UserID M The identity of the process receiving the data.
AlternativeUserID U not specialized
UserName U not specialized
UserIsRequestor M not specialized
RoleIDCode M EV (110152, DCM, “Destination Role ID”)
NetworkAccessPointTypeCode U not specialized
NetworkAccessPointID U not specialized
Active Participant: Other Participants (0..N) UserID M The identity of any other participants that might be involved and known, especially third parties that are the requestor
AlternativeUserID U not specialized
UserName U not specialized
UserIsRequestor M not specialized
RoleIDCode U not specialized
NetworkAccessPointTypeCode U not specialized
NetworkAccessPointID U not specialized
Participating Object: Studies being transferred (1..N) ParticipantObjectTypeCode M Shall be: 2 = system
ParticipantObjectTypeCodeRole M Shall be: 3 = report
ParticipantObjectDataLifeCycle U not specialized
ParticipantObjectIDTypeCode M EV (110180, DCM, “Study Instance UID”)
ParticipantObjectSensitivity U not specialized
ParticipantObjectID M The Study Instance UID
ParticipantObjectName U not specialized
ParticipantObjectQuery U not specialized
ParticipantObjectDetail U Element "ContainsSOPClass" with one or more SOP Class UID values
ParticipantObjectDescription U not specialized
SOPClass MC not specialized
Accession U not specialized
NumberOfInstances U not specialized
Instances U not specialized
Encrypted U not specialized
Anonymized U not specialized
Participating Object: Patient (1) ParticipantObjectTypeCode M Shall be: 1 = person
ParticipantObjectTypeCodeRole M Shall be: 1 = patient
ParticipantObjectDataLifeCycle U not specialized
ParticipantObjectIDTypeCode M Shall be: 2 = patient ID
ParticipantObjectSensitivity U not specialized
ParticipantObjectID M The patient ID
ParticipantObjectName U The patient name
ParticipantObjectQuery U not specialized
ParticipantObjectDetail U not specialized
ParticipantObjectDescription U not specialized

A.5.3.4 Data Export

This message describes the event of exporting data from a system, meaning that the data is leaving control of the system’s security domain. Examples of exporting include printing to paper, recording on film, conversion to another format for storage in an EHR, writing to removable media, or sending via e-mail. Multiple patients may be described in one event message.

A single user (either local or remote) shall be identified as the requestor, i.e., UserIsRequestor with a value of TRUE. This accommodates both push and pull transfer models for media.

Table A.5.3.4-1 Audit Message for Data Export

Real World Entities Field Name Opt. Value Constraints
Event EventID M EV (110106, DCM, “Export”)
EventActionCode M Shall be: R = Read
EventDateTime M not specialized
EventOutcomeIndicator M not specialized
EventTypeCode U not specialized
Participating Object: Remote Users and Processes (0..n) UserID M The identity of the remote user or process receiving the data
AlternativeUserID U not specialized
UserName U not specialized
UserIsRequestor M See Section A.5.3.4.1
RoleIDCode M EV (110152, DCM, “Destination Role ID”)
NetworkAccessPointTypeCode U not specialized
NetworkAccessPointID U not specialized

Participating Object: User or Process Exporting the data(1..2) UserID M The identity of the local user or process exporting the data. If both are known, then two active participants shall be included (both the person and the process).
AlternativeUserID U not specialized
UserName U not specialized
UserIsRequestor M See Section A.5.3.4.1
RoleIDCode M EV (110153, DCM, “Source Role ID”)
NetworkAccessPointTypeCode U not specialized
NetworkAccessPointID U not specialized

Active Participant: Media (1) UserID M See Section A.5.2.3
AlternativeUserID U See Section A.5.2.4
UserName U not specialized
UserIsRequestor M Shall be FALSE
RoleIDCode M EV (110154, DCM, “Destination Media”)
NetworkAccessPointTypeCode MC Required if being exported to other than physical media, e.g. to a network destination rather than to film, paper or CD. May be present otherwise.
NetworkAccessPointID MC Required if Net Access Point Type Code is present. May be present otherwise.
MediaIdentifier MC Volume ID, URI, or other identifier for media. Required if digital media. May be present otherwise.
MediaType M Values selected from DCID (405)
Participating Object: Studies (0..N) ParticipantObjectTypeCode M Shall be: 2 = system
ParticipantObjectTypeCodeRole M Shall be: 3 = report
ParticipantObjectDataLifeCycle U not specialized
ParticipantObjectIDTypeCode M EV (110180, DCM, “Study Instance UID”)
ParticipantObjectSensitivity U not specialized
ParticipantObjectID M The Study Instance UID
ParticipantObjectName U not specialized
ParticipantObjectQuery U not specialized
ParticipantObjectDetail U not specialized
ParticipantObjectDescription U not specialized
SOPClass MC See Table A.5.2-1
Accession U not specialized
NumberOfInstances U not specialized
Instances U not specialized
Encrypted U not specialized
Anonymized U not specialized
Participating Object: Patients (1..N) ParticipantObjectTypeCode M Shall be: 1 = person
ParticipantObjectTypeCodeRole M Shall be: 1 = patient
ParticipantObjectDataLifeCycle U not specialized
ParticipantObjectIDTypeCode M Shall be: 2 = patient ID
ParticipantObjectSensitivity U not specialized
ParticipantObjectID M The patient ID
ParticipantObjectName U The patient name
ParticipantObjectQuery U not specialized
ParticipantObjectQuery U not specialized
ParticipantObjectDetail U not specialized
ParticipantObjectDescription U not specialized

A.5.3.5 Data Import

This message describes the event of importing data into an organization, implying that the data now entering the system was not under the control of the security domain of this organization. Transfer by media within an organization is often considered a data transfer rather than a data import event. An example of importing is creating new local instances from data on removable media. Multiple patients may be described in one event message.

A single user (either local or remote) shall be identified as the requestor, i.e., UserIsRequestor with a value of TRUE. This accommodates both push and pull transfer models for media.

Table A.5.3.5-1 Audit Message for Data Import

Real World Entities Field Name Opt. Value Constraints
Event EventID M EV (110107, DCM, “Import”)
EventActionCode M Shall be: C = Create
EventDateTime M not specialized
EventOutcomeIndicator M not specialized
EventTypeCode U not specialized

Participating Object: User or Process Importing the data (1..n) UserID M The identity of the local user or process importing the data.
AlternativeUserID U not specialized
UserName U not specialized
UserIsRequestor M See Section A.5.3.5
RoleIDCode M EV (110152, DCM, “Destination Role ID”)
NetworkAccessPointTypeCode U not specialized
NetworkAccessPointID U not specialized

Active Participant: Source Media (1) UserID M See Section A.5.2.3
AlternativeUserID U See Section A.5.2.4
UserName U not specialized
UserIsRequestor M Shall be FALSE
RoleIDCode M EV (110155, DCM, “Source Media”)
NetworkAccessPointTypeCode U not specialized
NetworkAccessPointID MC Shall be present if Net Access Point Type Code is present. Shall use fields as specified in RFC 3881.
MediaIdentifier M Volume ID, URI, or other identifier for media
MediaType M Values selected from DCID (405)

Active Participant: Source (0..n) UserID M See Section A.5.2.3
AlternativeUserID U See Section A.5.2.4
UserName U not specialized
UserIsRequestor M See Section A.5.3.5
RoleIDCode M EV (110153, DCM, “Source Role ID”)
NetworkAccessPointTypeCode U not specialized
NetworkAccessPointID MC Shall be present if Net Access Point Type Code is present.

Participating Object: Studies (0..N) ParticipantObjectTypeCode M Shall be: 2 = system
ParticipantObjectTypeCodeRole M Shall be: 3 = report
ParticipantObjectDataLifeCycle U not specialized
ParticipantObjectIDTypeCode M EV (110180, DCM, “Study Instance UID”)
ParticipantObjectSensitivity U not specialized
ParticipantObjectID M The Study Instance UID
ParticipantObjectName U not specialized
ParticipantObjectQuery U not specialized
ParticipantObjectDetail U Not specialized
ParticipantObjectDescription U not specialized
SOPClass MC See Table A.5.2-1
Accession U not specialized
NumberOfInstances U not specialized
Instances U not specialized
Encrypted U not specialized
Anonymized U not specialized
Participating Object: Patients (1..N) ParticipantObjectTypeCode M Shall be: 1 = person
ParticipantObjectTypeCodeRole M Shall be: 1 = patient
ParticipantObjectDataLifeCycle U not specialized
ParticipantObjectIDTypeCode M Shall be: 2 = patient ID
ParticipantObjectSensitivity U not specialized
ParticipantObjectID M The patient ID
ParticipantObjectName U The patient name
ParticipantObjectQuery U not specialized
ParticipantObjectDetail U not specialized
ParticipantObjectDescription U not specialized

A.5.3.6 DICOM Instances Accessed

This message describes the event of DICOM SOP Instances being viewed, utilized, updated, or deleted. This message shall only include information about a single patient and can be used to summarize all activity for several studies for that patient. This message records the studies to which the instances belong, not the individual instances.

If all instances within a study are deleted, then the EV(110105, DCM, “DICOM Study Deleted”) event shall be used, see A.5.3.8.

Table A.5.3.6-1 Audit Message for DICOM Instances Accessed

Real World Entities Field Name Opt. Value Constraints
Event EventID M EV (110103, DCM, “DICOM Instances Accessed”)
EventActionCode M Enumerated value: C = create R = read U = update D = delete
EventDateTime M not specialized
EventOutcomeIndicator M not specialized
EventTypeCode U not specialized

Active Participant: Person and or Process manipulating the data (1..2) UserID M not specialized
AlternativeUserID U not specialized
UserName U not specialized
UserIsRequestor M not specialized
RoleIDCode U not specialized
NetworkAccessPointTypeCode U not specialized
NetworkAccessPointID U not specialized

Participating Object: Studies (1..N) ParticipantObjectTypeCode M Shall be: 2 = system
ParticipantObjectTypeCodeRole M Shall be: 3 = report
ParticipantObjectDataLifeCycle U not specialized
ParticipantObjectIDTypeCode M EV (110180, DCM, “Study Instance UID”)
ParticipantObjectSensitivity U not specialized
ParticipantObjectID M The Study Instance UID
ParticipantObjectName U not specialized
ParticipantObjectQuery U not specialized
ParticipantObjectDetail U Not specialized
ParticipantObjectDescription U Not specialized
SOPClass MC See Table A.5.2-1
Accession U not specialized
NumberOfInstances U not specialized
Instances U not specialized
Encrypted U not specialized
Anonymized U not specialized
Participating Object: Patient (1) ParticipantObjectTypeCode M Shall be: 1 = person
ParticipantObjectTypeCodeRole M Shall be: 1 = patient
ParticipantObjectDataLifeCycle U not specialized
ParticipantObjectIDTypeCode M Shall be: 2 = patient ID
ParticipantObjectSensitivity U not specialized
ParticipantObjectID M The patient ID
ParticipantObjectName U The patient name
ParticipantObjectQuery U not specialized
ParticipantObjectDetail U not specialized
ParticipantObjectDescription U not specialized

A.5.3.7 DICOM Instances Transferred

This message describes the event of the completion of transferring DICOM SOP Instances between two Application Entities. This message may only include information about a single patient.

Note: This message may have been preceded by a Begin Transferring Instances message. The Begin Transferring Instances message conveys the intent to store SOP Instances, while the Instances Transferred message records the completion of the transfer. Any disagreement between the two messages might indicate a potential security breach.

Table A.5.3.7-1 Audit Message for DICOM Instances Transferred

Real World Entities Field Name Opt. Value Constraints
Event EventID M EV (110104, DCM, “DICOM Instances Transferred”)
EventActionCode M Enumerated Value: C = (create) if the receiver did not hold copies of the instances transferred R = (read) if the receiver already holds copies of the SOP Instances transferred, and has determined that no changes are needed to the copies held. U = (update) if the receiver is altering its held copies to reconcile differences between the held copies and the received copies. If the Audit Source is either not the receiver, or otherwise does not know whether or not the instances previously were held by the receiving node, then use “R” = (Read).
EventDateTime M Shall be the time when the transfer has completed
EventOutcomeIndicator M not specialized
EventTypeCode U not specialized

Active Participant: Process that sent the data (1) UserID M not specialized
AlternativeUserID U not specialized
UserName U not specialized
UserIsRequestor M not specialized
RoleIDCode M EV (110153, DCM, “Source Role ID”)
NetworkAccessPointTypeCode U not specialized
NetworkAccessPointID U not specialized

Active Participant: The process that received the data. (1) UserID M not specialized
AlternativeUserID U not specialized
UserName U not specialized
UserIsRequestor M not specialized
RoleIDCode M EV (110152, DCM, “Destination Role ID”)
NetworkAccessPointTypeCode U not specialized
NetworkAccessPointID U not specialized
Active Participant: Other participants that are known, especially third parties that are the requestor (0..N) UserID M not specialized
AlternativeUserID U not specialized
UserName U not specialized
UserIsRequestor M not specialized
RoleIDCode U not specialized
NetworkAccessPointTypeCode U not specialized
NetworkAccessPointID U not specialized
Participating Object: Studies being transferred (1..N) ParticipantObjectTypeCode M Shall be: 2 = system
ParticipantObjectTypeCodeRole M Shall be: 3 = report
ParticipantObjectDataLifeCycle U not specialized
ParticipantObjectIDTypeCode M EV (110180, DCM, “Study Instance UID”)
ParticipantObjectSensitivity U not specialized
ParticipantObjectID M The Study Instance UID
ParticipantObjectName U not specialized
ParticipantObjectQuery U not specialized
ParticipantObjectDetail U Not specialized
ParticipantObjectDescription U Not specialized
SOPClass MC See Table A.5.2-1
Accession U not specialized
NumberOfInstances U not specialized
Instances U not specialized
Encrypted U not specialized
Anonymized U not specialized
Participating Object: Patient (1) ParticipantObjectTypeCode M Shall be: 1 = person
ParticipantObjectTypeCodeRole M Shall be: 1 = patient
ParticipantObjectDataLifeCycle U not specialized
ParticipantObjectIDTypeCode M Shall be: 2 = patient ID
ParticipantObjectSensitivity U not specialized
ParticipantObjectID M The patient ID
ParticipantObjectName U The patient name
ParticipantObjectQuery U not specialized
ParticipantObjectDetail U not specialized
ParticipantObjectDescription U not specialized

A.5.3.8 DICOM Study Deleted

This message describes the event of deletion of one or more studies and all associated SOP Instances in a single action. This message shall only include information about a single patient.

Table A.5.3.8-1 Audit Message for DICOM Study Deleted

Real World Entities Field Name Opt. Value Constraints
Event EventID M EV (110105, DCM, “DICOM Study Deleted”)
EventActionCode M Shall be: D = delete
EventDateTime M not specialized
EventOutcomeIndicator M not specialized
EventTypeCode U not specialized

Active Participant: the person or process deleting the study (1..2) UserID M not specialized
AlternativeUserID U not specialized
UserName U not specialized
UserIsRequestor M not specialized
RoleIDCode U not specialized
NetworkAccessPointTypeCode U not specialized
NetworkAccessPointID U not specialized

Participating Object: Studies being transferred (1..N) ParticipantObjectTypeCode M Shall be: 2 = system
ParticipantObjectTypeCodeRole M Shall be: 3 = report
ParticipantObjectDataLifeCycle U not specialized
ParticipantObjectIDTypeCode M EV (110180, DCM, “Study Instance UID”)
ParticipantObjectSensitivity U not specialized
ParticipantObjectID M The Study Instance UID
ParticipantObjectName U not specialized
ParticipantObjectQuery U not specialized
ParticipantObjectDetail U Not specialized
ParticipantObjectDescription U Not specialized
SOPClass MC See Table A.5.2-1
Accession U not specialized
NumberOfInstances U not specialized
Instances U not specialized
Encrypted U not specialized
Anonymized U not specialized
Participating Object: Patient (1) ParticipantObjectTypeCode M Shall be: 1 = person
ParticipantObjectTypeCodeRole M Shall be: 1 = patient
ParticipantObjectDataLifeCycle U not specialized
ParticipantObjectIDTypeCode M Shall be: 2 = patient ID
ParticipantObjectSensitivity U not specialized
ParticipantObjectID M The patient ID
ParticipantObjectName U The patient name
ParticipantObjectQuery U not specialized
ParticipantObjectDetail U not specialized
ParticipantObjectDescription U not specialized

A.5.3.9 Network Entry

This message describes the event of a system, such as a mobile device, intentionally entering or leaving the network.

Note: The machine should attempt to send this message prior to detaching. If this is not possible, it should retain the message in a local buffer so that it can be sent later. The mobile machine can then capture audit messages in a local buffer while it is outside the secure domain. When it is reconnected to the secure domain, it can send the detach message (if buffered), followed by the buffered messages, followed by a mobile machine message for rejoining the secure domain. The timestamps on these messages is the time that the event was noticed to have occurred, not the time that the message is sent.

Table A.5.3.9-1 Audit Message for Network Entry

Real World Entities Field Name Opt. Value
Event EventID M EV (110108, DCM, ”Network Entry”)
EventActionCode M Shall be: E = Execute
EventDateTime M not specialized
EventOutcomeIndicator M not specialized
EventTypeCode M EV (110124, DCM, “Attach”) EV (110125, DCM, “Detach”)

Active Participant: Node or System entering or leaving the network (1) UserID M not specialized
AlternativeUserID U not specialized
UserName U not specialized
UserIsRequestor M Shall be FALSE
RoleIDCode U not specialized
NetworkAccessPointTypeCode U not specialized
NetworkAccessPointID U not specialized

No Participant Objects are needed for this message.

A.5.3.10 Query

This message describes the event of a Query being issued or received. The message does not record the response to the query, but merely records the fact that a query was issued. For example, this would report queries using the DICOM SOP Classes:

  1. Modality Worklist

  2. General Purpose Worklist

  3. Composite Instance Query

Notes: 1. The response to a query may result in one or more Instances Transferred or Instances Accessed messages, depending on what events transpire after the query. If there were security-related failures, such as access violations, when processing a query, those failures should show up in other audit messages, such as a Security Alert message.2. Non-DICOM queries may also be captured by this message. The Participant Object ID Type Code, the Participant Object ID, and the Query fields may have values related to such non-DICOM queries.

Table A.5.3.10-1 Audit Message for Query

Real World Entities Field Name Opt. Value Constraints
Event EventID M EV (110112, DCM, “Query”)
EventActionCode M Shall be: E = Execute
EventDateTime M not specialized
EventOutcomeIndicator M not specialized
EventTypeCode U not specialized

Active Participant: Process Issuing the Query (1) UserID M not specialized
AlternativeUserID U not specialized
UserName U not specialized
UserIsRequestor M not specialized
RoleIDCode M EV (110153, DCM, “Source Role ID”)
NetworkAccessPointTypeCode U not specialized
NetworkAccessPointID U not specialized

Active Participant: The process that will respond to the query (1) UserID M not specialized
AlternativeUserID U not specialized
UserName U not specialized
UserIsRequestor M not specialized
RoleIDCode M EV (110152, DCM, “Destination Role ID”)
NetworkAccessPointTypeCode U not specialized
NetworkAccessPointID U not specialized
Active Participant: Other Participants that are known, especially third parties that requested the query (0..N) UserID M not specialized
AlternativeUserID U not specialized
UserName U not specialized
UserIsRequestor M not specialized
RoleIDCode U not specialized
NetworkAccessPointTypeCode U not specialized
NetworkAccessPointID U not specialized
Participating Object: SOP Queried and the Query (1) ParticipantObjectTypeCode M Shall be: 2 = system
ParticipantObjectTypeCodeRole M Shall be: 3 = report
ParticipantObjectDataLifeCycle U not specialized
ParticipantObjectIDTypeCode M DT (110181, DCM, “SOP Class UID”)
ParticipantObjectSensitivity U not specialized
ParticipantObjectID M If the ParticipantObjectIDTypeCode is (110181, DCM, “SOP Class UID”), then this field shall hold the UID of the SOP Class being queried
ParticipantObjectName U not specialized
ParticipantObjectQuery M If the ParticipantObjectIDTypeCode is (110181, DCM, “SOP Class UID”), then this field shall hold the Dataset of the DICOM query, xs:base64Binary encoded. Otherwise, it shall be the query in the format of the protocol used.
ParticipantObjectDetail MC Required if the ParticipantObjectIDTypeCode is (110181, DCM, “SOP Class UID”) A ParticipantObjectDetail element with the XML attribute ”TransferSyntax” shall be present. The value of the Transfer Syntax attribute shall be the UID of the transfer syntax of the query. The element contents shall be xs:base64Binary encoding. The Transfer Syntax shall be a DICOM Transfer Syntax.
ParticipantObjectDescription U not specialized
SOPClass U See Table A.5.2-1
Accession U not specialized
NumberOfInstances U not specialized
Instances U not specialized
Encrypted U not specialized
Anonymized U not specialized

A.5.3.11 Security Alert

This message describes any event for which a node needs to report a security alert, e.g., a node authentication failure when establishing a secure communications channel.

Note: The Node Authentication event can be used to report both successes and failures. If reporting of success is done, this could generate a very large number of audit messages, since every authenticated DICOM association, HL7 transaction, and HTML connection should result in a successful node authentication. It is expected that in most situations only the failures will be reported.

Table A.5.3.11-1 Audit Message for Security Alert

Real World Entities Field Name Opt. Value Constraints
Event EventID M EV (110113, DCM, ”Security Alert”)
EventActionCode M Shall be: E = Execute
EventDateTime M not specialized
EventOutcomeIndicator M Success implies an informative alert. The other failure values imply warning codes that indicate the severity of the alert. A Minor or Serious failure indicates that mitigation efforts were effective in maintaining system security. A Major failure indicates that mitigation efforts may not have been effective, and that the security system may have been compromised.
EventTypeCode M Values selected from DCID( 403)

Active Participant: Reporting Person and/or Process (1..2) UserID M not specialized
AlternativeUserID U not specialized
UserName U not specialized
UserIsRequestor M not specialized
RoleIDCode U not specialized
NetworkAccessPointTypeCode U not specialized
NetworkAccessPointID U not specialized
Active Participant: Performing Persons or Processes (0..N) UserID M not specialized
AlternativeUserID U not specialized
UserName U not specialized
UserIsRequestor M Shall be FALSE
RoleIDCode U not specialized
NetworkAccessPointTypeCode U not specialized
NetworkAccessPointID U not specialized

Participating Object: Alert Subject (0..N) ParticipantObjectTypeCode M Shall be: 2 = system
ParticipantObjectTypeCodeRole U Defined Terms: 5 = master file 13 = security resource
ParticipantObjectDataLifeCycle U not specialized
ParticipantObjectIDTypeCode M Defined Terms: 12 = URI (110182, DCM, “Node ID”) = Node Identifier
ParticipantObjectSensitivity U not specialized
ParticipantObjectID M For a ParticipantObjectIDTypeCode of 12 (URI), then this value shall be the URI of the file or other resource that is the subject of the alert. For a ParticipantObjectIDTypeCode of (110182, DCM, “Node ID”) then the value shall include the identity of the node that is the subject of the alert either in the form of node_name@domain_name or as an IP address. Otherwise, the value shall be an identifier of the type specified by ParticipantObjectIDTypeCode of the subject of the alert.
ParticipantObjectName U not specialized
ParticipantObjectQuery U not specialized
ParticipantObjectDetail M An element with the Attribute “type” equal to "Alert Description” shall be present with a free text description of the nature of the alert as the value
ParticipantObjectDescription U not specialized
SOPClass U See Table A.5.2-1
Accession U not specialized
NumberOfInstances U not specialized
Instances U not specialized
Encrypted U not specialized
Anonymized U not specialized

A.5.3.12 User Authentication

This message describes the event that a user has attempted to log on or log off. This report can be made regardless of whether the attempt was successful or not. No Participant Objects are needed for this message.

Note: The user usually has UserIsRequestor TRUE, but in the case of a logout timer, the Node might be the UserIsRequestor.

Table A.5.3.12-1 Audit Message for User Authentication

Real World Entities Field Name Opt. Value Constraints
Event EventID M EV (110114, DCM, ”User Authentication”)
EventActionCode M Shall be: E = Execute
EventDateTime M not specialized
EventOutcomeIndicator M not specialized
EventTypeCode M Defined Terms: EV (110122, DCM, “Login”) EV (110123, DCM, “Logout”)

Active Participant: Person Authenticated or claimed (1) UserID M not specialized
AlternativeUserID U not specialized
UserName U not specialized
UserIsRequestor M not specialized
RoleIDCode U not specialized
NetworkAccessPointTypeCode M not specialized
NetworkAccessPointID M not specialized
Active Participant: Node or System performing authentication (0..1) UserID M not specialized
AlternativeUserID U not specialized
UserName U not specialized
UserIsRequestor M not specialized
RoleIDCode U not specialized
NetworkAccessPointTypeCode U not specialized
NetworkAccessPointID U not specialized