DICOM PS3.15 2024c - Security and System Management Profiles

A.5.3.11 Security Alert

This message describes any event for which a node needs to report a security alert, e.g., a node authentication failure when establishing a secure communications channel.

Note

The Node Authentication event can be used to report both successes and failures. If reporting of success is done, this could generate a very large number of audit messages, since every authenticated DICOM association, HL7 transaction, and HTML connection should result in a successful node authentication. It is expected that in most situations only the failures will be reported.

Table A.5.3.11-1. Audit Message for Security Alert

Real World Entities

Field Name

Opt.

Value Constraints

Event

EventID

M

EV (110113, DCM, "Security Alert")

EventActionCode

M

Shall be: E = Execute

EventDateTime

M

not specialized

EventOutcomeIndicator

M

Success implies an informative alert. The other failure values imply warning codes that indicate the severity of the alert. A Minor or Serious failure indicates that mitigation efforts were effective in maintaining system security. A Major failure indicates that mitigation efforts may not have been effective, and that the security system may have been compromised.

EventTypeCode

M

Values selected from DCID 403 “Security Alert Type Code”.

Active Participant:

Reporting Person and/or Process (1..2)

UserID

M

not specialized

AlternativeUserID

U

not specialized

UserName

U

not specialized

UserIsRequestor

M

not specialized

RoleIDCode

U

not specialized

NetworkAccessPointTypeCode

U

not specialized

NetworkAccessPointID

U

not specialized

Active Participant:

Performing Persons or Processes (0..N)

UserID

M

not specialized

AlternativeUserID

U

not specialized

UserName

U

not specialized

UserIsRequestor

M

Shall be FALSE

RoleIDCode

U

not specialized

NetworkAccessPointTypeCode

U

not specialized

NetworkAccessPointID

U

not specialized

Participating Object:

Alert Subject (0..N)

ParticipantObjectTypeCode

M

Shall be: 2 = System Object

ParticipantObjectTypeCodeRole

U

Defined Terms:

5 = Master File

13 = Security Resource

ParticipantObjectDataLifeCycle

U

not specialized

ParticipantObjectIDTypeCode

M

Defined Terms:

12 = URI

DT (110182, DCM, "Node ID")

ParticipantObjectSensitivity

U

not specialized

ParticipantObjectID

M

For a ParticipantObjectIDTypeCode of 12 = URI, then this value shall be the URI of the file or other resource that is the subject of the alert.

For a ParticipantObjectIDTypeCode of (110182, DCM, "Node ID") then the value shall include the identity of the node that is the subject of the alert either in the form of node_name@domain_name or as an IP address.

Otherwise, the value shall be an identifier of the type specified by ParticipantObjectIDTypeCode of the subject of the alert.

ParticipantObjectName

U

not specialized

ParticipantObjectQuery

U

not specialized

ParticipantObjectDetail

M

An element with the Attribute "type" equal to "Alert Description" shall be present with a free text description of the nature of the alert as the value

ParticipantObjectDescription

U

not specialized

SOPClass

U

See Table A.5.2-1

Accession

U

not specialized

NumberOfInstances

U

not specialized

Instances

U

not specialized

Encrypted

U

not specialized

Anonymized

U

not specialized


DICOM PS3.15 2024c - Security and System Management Profiles