$TXT Created by ALVIN JR at MNTVBB.DOMAIN.EXT (KIDS) on Friday, 12/30/22 at 09:47 ============================================================================= Run Date: FEB 16, 2023 Designation: DG*5.3*964 Package : DG - REGISTRATION Priority: Mandatory Version : 5.3 SEQ #951 Status: Released Compliance Date: MAR 19, 2023 ============================================================================= Associated patches: (v)DG*5.3*699 <<= must be installed BEFORE `DG*5.3*964' (v)DG*5.3*796 <<= must be installed BEFORE `DG*5.3*964' Subject: VISTA AUDIT SOLUTION (VAS) Category: - Routine - Enhancement (Mandatory) - Data Dictionary - Other Description: ============ The Veterans Health Information System and Technology Architecture (VistA) Audit Solution (VAS) is a real-time web-based interface that has dependencies on VistA-ADT patient data. It provides a nationwide Health Insurance Portability and Accountability Act (HIPAA) compliant Audit Tracking Solution with the ability to track and report on access logs for patient's Personally Identifiable Information (PII)/ Protected Health Information (PHI) data across all VistA instances. VAS end-users are Privacy Officers, Information Systems Security Officers (ISSO) and their authorized representatives who need the ability to view the log of Create, Read, Update and/or Delete (CRUD) operations on patient information to respond to Freedom of Information Act (FOIA), HIPAA, employee requests and Inspector General (IG) requests. This data originates in VistA and flows through in-memory database servers to be stored in the Veterans Affairs Enterprise Cloud (VAEC) Amazon Web Services (AWS). The VAS web-based user interface (UI) will access and display the data stored in AWS. The VAS application enhances VistA's ability to respond to Freedom of Information Act (FOIA) inquiries, ensuring that VistA can adequately account for each access to veterans' data. The VAS application leverages existing VistA audit functionality and the standard patient lookup to send patient-related audit information to an external archive via a Representational State Transfer (REST) Application Programmer Interface (API) in a JSON (JavaScript Object Notation) format. The audit records are Patient related records for which an inquiry, update, create, or delete action occurred. Once the information is sent to the external archive the temporary local record is deleted from the outbound queue. Authorized VAS users may view the patient data that was accessed and/or modified, as well as the individual who accessed or modified the patient data. The web server DG VAS WEB SERVER and web service DG VAS WEB SERVICE are configured by a post-install routine. This routine creates entries in the HealtheVet Web Services Client (HWSC) configuration files and configures the server with the appropriate domain name and port based on the station number of the facility where the patch is being installed. It may be necessary to change the server name and/or port number for the production connection. Refer to the DG*5.3*964 Deployment, Installation, Back-out, and Rollback Guide (DIBRG) for instructions on the post installation steps for setting the server and port. Upon installation of the patch, the VAS STATUS field is set to "Don't generate or send data". When set to this value, no audit data is queued or sent to the VAS REST API. This can be confirmed in the VistA Audit Solution (VAS) options Menu [DG VAS MENU]. A notification will be provided to Regional IT support by the Health Information Governance (HIG) office to update the VAS STATUS field when ready to begin transferring data to the VAS server. ************************************************************************* NOTE: When running the ^XINDEX routine, sites will encounter an XINDEX Error after the installation of this patch. Routine DGAUDIT uses the HealtheVet Web Services Client (HWSC) and calls Cache Classes to write the JSON record to the web service, read the response from the web service, and retrieve the error code if one exists. A Department of Veterans Affairs Cache Programming Standards and Conventions (SAC) Exemption request was granted on 02/14/2022, reference number 20220214-01. ************************************************************************* DGAUDIT * * 335 Lines, 16156 Bytes, Checksum: B201189066 S DGRESTOBJ.SSLCheckServerIdentity=0 ; Older versions of xobw.WebServer.cls don't set this value. Setting here to prevent Error #6156 during the POST below. RESTPOST+15 W - Vendor specific code is restricted. . D DGRESTOBJ.EntityBody.Write(DGJSON) RESTPOST+23 W - Vendor specific code is restricted. D DGRESTOBJ.EntityBody.Write("]") RESTPOST+24 W - Vendor specific code is restricted. F DGHEADER="Accept","ContentType" D DGRESTOBJ.SetHeader(DGHEADER, "application/json") RESTPOST+25 W - Vendor specific code is restricted. S DGHTTPRSP=DGRESTOBJ.HttpResponse RESTPOST+32 W - Vendor specific code is restricted. S DGOUTJSON=DGHTTPRSP.Data.ReadLine() ; reads json string response from the data stream. RESTPOST+33 W - Vendor specific code is restricted. DGAUDIT1 * * 291 Lines, 13642 Bytes, Checksum: B123278694 N DGERRCODE S DGERRCODE=DGRESPERR.code ERRSPMSG+3 W - Vendor specific code is restricted. Listing of Updates ------------------ 1) A modification to the routine DGSEC to create an "INQUIRY" audit record in the external archive when a patient is selected within a VistA application. 2) New DG VAS QUEUE File (#46.3), temporarily holds records to be sent to the external archive. See the entries below in the Patch Components. 3) New DG VAS EXPORT File (#46.4), keeps track of which VA FileMan AUDIT File (#1.1) records have been exported to the external archive. See the entries below in the Patch Components. 4) New DG VAS CONFIG File (#46.5), contains the settings related to the connection to the VAS REST API when this patch is installed at each site. See the entries below in the Patch Components. 5) New OPTION File entry (DG VAS EXPORT) used to export audit entries from the new temporary DG VAS QUEUE File (#46.3), stored in the ^DGAUDIT global, to the external archive. Records in File #46.3 are deleted immediately after being transmitted. This OPTION is automatically added to the OPTION SCHEDULING File (#19.2) as a Startup task. 6) New menu DG VAS MENU containing the new options DG VAS DISPLAY and DG VAS MODIFY is added to the DG SECURITY OFFICER MENU. 6a) Two new option Files, DG VAS DISPLAY and DG VAS MODIFY related to the configuration settings and parameter definition values for VAS. The DG VAS DISPLAY option is used to view the information in the DG VAS CONFIG file (#46.5). The DG VAS MODIFY option is used to make changes in the DG VAS CONFIG file (#46.5). 7) New entries in the PARAMETER DEFINITION File (#8989.51). DG VAS BATCH SIZE - Controls the number of records sent in a batch to the VAS REST API via the DG VAS WEB SERVICE. The parameter defaults to a value of 1000, but may be modified using the VAS menu. The sending process sends records in batches equal to the value of this parameter, until the number of records remaining in the DG VAS QUEUE (#46.3) file is less than the value parameter, after which one final batch is sent with the remaining records (regardless of the number of records), and the process quits until it's restarted by Taskman at the next schedule date/time. DG VAS DAYS TO KEEP EXCEPTIONS - The number of days to store exceptions received from the VAS REST API in the local database before being deleted. DG VAS DEBUGGING FLAG - Forces the VAS export process to report on the status of the export process by sending a Mailman message to members of the mail group defined in the DG VAS MONITOR GROUP parameter containing a capture of local process information. DG VAS MAX QUEUE ENTRIES - The maximum number of entries permitted in the VAS outbound queue. When the number of entries in the queue exceeds this value, the oldest entries in the queue are deleted as new entries are added. DG VAS MAX WRITE ATTEMPTS - The number of failed attempts to send a batch of audit records to the VAS REST API before sending an error notification to the mail group defined in the DG VAS MONITOR GROUP parameter. DG VAS MONITOR GROUP - The mail group to which the VAS export process sends updates and exception notifications. 8) New option DG AUDIT TASKMAN that starts the background processing job for the DG VAS EXPORT. The background job will start running 5 minutes after the patch is installed and will run every 5 minutes to check the file for targeted Audit records. No action will be needed by the installer. 9) A new Mail Group (DG VAS MONITOR) used for VAS notifications is installed if the DG VAS MONITOR GROUP parameter does not contain a mail group at the time the patch is installed. Notifications sent to the mail group stored in this parameter are technical in nature and should be forwarded to VAS technical support. 10) A new Web Server (DG VAS WEB SERVER) containing settings that enable communication with the VAS REST API. 11) The new web service DG VAS WEB SERVICE sends batched audit records to the VAS external archive. The web service uses the standard VistA HealtheVet Web Services Client (HWSC) framework, which acts as an adjunct to the web services client functionality provided in Cache by leveraging Cache's platform-provided web services client capabilities. i. Protocol: The web service is a REST API and accepts and returns JSON request/response objects. ii. Response Codes: Successful Request/Record Level Exceptions ========================================== Code Description ---- ------------------------------------------------------------- 200: Successful Request. The response may contain "messages" that describe record level exceptions. Record level exceptions indicate the REST API successfully processed a portion of the batch but was able to identify specific records that could not be processed. Unsuccessful records are stored for a period of time defined by the DG VAS DAYS TO KEEP EXCEPTIONS parameter. For each record level error, a Mailman message is sent to members of the mail group in the DG VAS MONITOR GROUP parameter, and the record is purged from the DG VAS QUEUE (#46.3) file. Unsuccessful Requests/Batch Level Exceptions ============================================ Code Description ---- ------------------------------------------------------------- 501: Not an Array. 504: Unable to parse data. Not JSON format. 6059: Unable to open the Transmission Control Protocol and Internet Protocol (TCP/IP) connection. Unsuccessful requests are batch level errors. Batch level errors indicate the entire batch failed, the records remain in the DG VAS QUEUE (#46.3) file, and the records will be resent. Batch level errors may be Hyper Text Transfer Protocol (HTTP) errors from the VistA HealtheVet Web Service Client (HWSC), or processing errors from the VAS REST API. iv. Batch Size: The parameter DG VAS BATCH SIZE controls the number of audit records sent in a single transaction. The parameter defaults to a value of 1000 upon installation, but may be modified using the Modify VAS Parameters [DG VAS MODIFY] option in the VistA Audit Solution (VAS) options menu [DG VAS MENU]. The web service sends records in batches containing the number of records specified by this parameter, until the queue contains fewer records than the value of this parameter, at which time one final partial batch is sent. Patch Components: ----------------- Files & Fields Associated: File Name (Number) Field Name (Number) New/Modified/Deleted ------------------ ------------------- -------------------- DG VAS QUEUE (#46.3) New SEQ# (#.01) New REQUEST TYPE (#.02) New DATETIME (#.03) New PATIENT (#.04) New USER (#.05) New MENU OPT (#.06) New FILENUM (#.07) New SITE (#.08) New JSON (#1) New DG VAS EXPORT (#46.4) New AUDITED FILE (#.01) New LAST RECORD EXPORTED (#.02) New DATA VALUE OF LAST RECORD (#.03) New DATE VAS STARTED (#.04) New DG VAS CONFIG (#46.5) New NUMBER (#.01) New VAS STATUS (#.02) New VAS DEBUGGING FLAG (#2) New Forms Associated: Form Name File # New/Modified/Deleted --------- ------ -------------------- N/A Mail Groups Associated: Mail Group Name New/Modified/Deleted --------------- ----------------------------------------------- DG VAS MONITOR New *Only installed if the DG VAS MONITOR GROUP parameter doesn't contain a mail group at the time the patch is installed. Options Associated: Option Name Type New/Modified/Deleted ----------- ---- -------------------- DG VAS MENU menu New DG VAS DISPLAY run routine New DG VAS MODIFY run routine New DG VAS EXPORT run routine New DG SECURITY OFFICER MENU menu Modified DG AUDIT TASKMAN run routine New Protocols Associated: Protocol Name New/Modified/Deleted ------------- -------------------- N/A Security Keys Associated: Security Key Name ----------------- N/A Templates Associated: Template Name Type File Name (Number) New/Modified/Deleted ------------- ---- ------------------ -------------------- N/A Remote Procedures Associated: Remote Procedure Name New/Modified/Deleted --------------------- -------------------- N/A Parameter Definitions Associated: Parameter Name New/Modified/Deleted -------------- -------------------- DG VAS BATCH SIZE New DG VAS DAYS TO KEEP EXCEPTIONS New DG VAS DEBUGGING FLAG New DG VAS MAX QUEUE ENTRIES New DG VAS MAX WRITE ATTEMPTS New DG VAS MONITOR GROUP New Additional Information: New Service Requests (NSRs): ---------------------------- N/A Patient Safety Issues (PSIs): ----------------------------- N/A Defect Tracking System Ticket(s) & Overview: -------------------------------------------- N/A Test Sites: ---------- Cloud Sites: Valley Coastal Bend Non-Cloud Sites: Tampa Little Rock Software and Documentation Retrieval Instructions: -------------------------------------------------- The software for this patch is being released in a PackMan message. This release also includes other software files. They can be obtained at location: /srv/vista/patches/SOFTWARE. Other software files can also be obtained by accessing the URL: https://download.vista.domain.ext/index.html/SOFTWARE. File Title File Name Format ---------------------------------------------------------------------- PIMS Technical Manual PIMS_TM.PDF BINARY PIMS User Manual - Security ADT_SO.PDF BINARY Officer Menu Deployment, Installation, Back-out DG_5_3_P964_DIBRG.PDF BINARY And Rollback Guide DG*5.3*P964 Release Notes DG_5_3_P964_RN.PDF BINARY Patch Installation: ------------------- Pre/Post Installation Overview: This patch may be installed with users on the system although it is recommended that it be installed during non-peak hours to minimize potential disruption to users. The VAS export defaults to 'Don't generate or send data' during installation, minimizing potential user disruption. This patch should take less than 5 minutes to install. If desired, you may queue this installation. Pre-Installation Instructions: Identify Mail Group Organizer ------------------------------- Identify the appropriate organizer for the VAS mail group. After patch installation, this name must be added as the organizer of this mail group. The organizer should be a Privacy Officers or Information Systems Security Officers (ISSO) or their authorized representative at the facility where the patch is being installed. The organizer must have the ability to view the log of Create, Read, Update and/or Delete (CRUD) operations on patient information to respond to Freedom of Information Act (FOIA), HIPAA, employee and Inspector General (IG) requests. Installation Instructions: 1. Choose the PackMan message containing this build. Then select the INSTALL/CHECK MESSAGE PackMan option to load the build. 2. From the Kernel Installation and Distribution System Menu, select the Installation Menu. From this menu, A. Select the Verify Checksums in Transport Global option to confirm the integrity of the routines that are in the transport global. When prompted for the INSTALL NAME enter the patch name, DG*5.3*964. B. Select the Backup a Transport Global option to create a backup message. You can specify what to backup; the entire Build or just Routines. The backup message can be used to restore just the routines or everything that will restore your system to pre-patch condition. Subject: Backup of DG*5.3*964 on Jan 16, 2022 Replace Select one of the following: B Build (including Routines) R Routines Only Backup Type: B// Build (including Routines) Send mail to: (Send mail to yourself) C. You may also elect to use the following options: i. Print Transport Global - This option will allow you to view the components of the KIDS build. ii. Compare Transport Global to Current System - This option will allow you to view all changes that will be made when this patch is installed. It compares all of the components of this patch, such as routines, DDs, templates, etc. D. Select the Install Package(s) option and choose the patch to install, DG*5.3*964. i. If prompted 'Want KIDS to Rebuild Menu Trees Upon Completion of Install? NO//', answer YES. ii. When prompted 'Want KIDS to INHIBIT LOGONs during the install? NO//', answer NO. iii. When prompted 'Want to DISABLE Scheduled Options, Menu Options, and Protocols? NO//', answer NO. Post-Installation Instructions: 1. VAS Export Server Configuration - Verify a valid VAS server Domain Name System (DNS) was stored for the DG VAS WEB SERVER entry in the SERVER field (#.04) in the WEB SERVER file (#18.12). This value may be found next to the DG VAS WEB SERVER label in the Display VAS Parameters [DG VAS DISPLAY] option in the VistA Audit Solution (VAS) options menu [DG VAS MENU]. If this value is "unknown.vas.server", the VAS REST API server could not be determined during installation. To verify the VAS Export server configuration and connectivity, follow the "VAS Export Server Configuration" and "Verify VAS Server Connectivity" instructions in the Post Install section of the Deployment, Installation, Backout, Rollback Guide (DIBRG). 2. Mail Group Update - Add the Security Officer or FOIA/Privacy Officer identified in the pre-installation step "Identify Mail Group Organizer" to the VAS mail group as an organizer. Add any additional contacts as members of the mail group. The mail group used by VAS may be found in the Display VAS Parameters [DG VAS DISPLAY] option in the VistA Audit Solution (VAS) options [DG VAS MENU]. The mail group is displayed to the right of the label "DG VAS MONITOR GROUP:". To add the organizer to the mail group, use the Mail Group Edit [XMEDITMG] option in the Group/Distribution Management [XMMGR-GROUP- MAINTENANCE] menu in the Manage Mailman [XMMGR] menu to add the mail group organizer identified in the pre-installation step as a member at the "MEMBER:" prompt and as the organizer at the "ORGANIZER:" prompt, and to add the VAS support mail group vassupport@domain.ext as a remote member at the "REMOTE MEMBER:" prompt. For additional information, see the "Mail Group Update" instructions in the Post Installation Instructions section of the Deployment, Installation, Backout, Rollback Guide (DIBRG). 3. Activate the VAS Export - When the site is scheduled for activation by the VAS development team, the VAS Export must be turned on to begin sending audit records to the VAS server. ********************************************************** ** NOTE - Do NOT activate the VAS Export until notified ** ** by the Health Information Governance (HIG) office ** ********************************************************** A notification will be provided to Regional IT support by the Health Information Governance (HIG) office to update the VAS STATUS Flag when the facility is ready to begin transferring data to the VAS external archive via the VAS REST API. The VAS STATUS may be updated by using the DG VAS MODIFY option in the DG VAS Menu. See the PIMS Technical manual and release notes for additional information. When notified to activate the VAS Export Server at a given facility, follow the instructions below: a. Navigate to the Modify VAS Parameters [DG VAS MODIFY] option in the VistA Audit Solution (VAS) Options [DG VAS MENU] menu in the Security Officer Menu [DG SECURITY OFFICER MENU]. b. At the "VAS STATUS:" prompt, enter the number 1 (one) to select "Generate and send data". Example - Activate VAS Export ------------------------------------------------------------------------ Select OPTION NAME: DG SECURITY OFFICER MENU Security Officer Menu Select Security Officer Menu Option: VISTA AUDIT Solution (VAS) options Select VistA Audit Solution (VAS) options Option: Modify VAS Parameters NAME: DG VAS EXPORT QUEUED TO RUN AT WHAT TIME: FEB 06, 2023@09:54 RESCHEDULING FREQUENCY: 900S TASK ID: 3399576 VAS STATUS: Don't generate or send data// 1 Generate and send data Status: Generate and send data ---------- Setting BATCH SIZE for System: DOSO.FO-BIRM.DOMAIN.EXT Value: 1000// ^ ------------------------------------------------------------------------ Back-Out/Roll Back Plan: Back-out will be done only with the concurrence and participation of development team and appropriate VA site/region personnel. The decision to back-out or rollback software will be a joint decision between development team, VA site/region personnel and other appropriate VA personnel. The site/region should save a backup of the build in a mail message using the Backup a Transport Global [XPD BACKUP] menu option (this is done at time of install). The back-out plan is to restore the routines or build from the backup created. Refer to the patch DG*5.3*964 Deployment, Installation, Back-Out, and Roll Back Guide (DIBRG) for more information. Routine Information: ==================== The second line of each of these routines now looks like: ;;5.3;Registration;**[Patch List]**;Aug 13, 1993;Build 323 The checksums below are new checksums, and can be checked with CHECK1^XTSUMBLD. Routine Name: DGAUDIT Before: n/a After:B122376800 **964** Routine Name: DGAUDIT1 Before: n/a After:B149938226 **964** Routine Name: DGAUDIT2 Before: n/a After: B25151261 **964** Routine Name: DGAUDIT3 Before: n/a After: B45954279 **964** Routine Name: DGAUDITP Before: n/a After: B67010651 **964** Routine Name: DGSEC Before: B42431719 After: B44965286 **32,46,197,214,249,281,352, 391,425,582,769,796,964** Routine Name: DGSEC4 Before: B43657348 After: B44665082 **249,281,391,471,684,699,964** Routine list of preceding patches: 699, 796 ============================================================================= User Information: Entered By : Date Entered : APR 26, 2018 Completed By: Date Completed: FEB 16, 2023 Released By : Date Released : FEB 16, 2023 ============================================================================= Packman Mail Message: ===================== $END TXT