Gear up a connector to import healthcare EHR audit data (preview)

  • Article
  • 14 minutes to read

Yous can set up a information connector in the Microsoft 365 compliance center to import auditing data for user activity in your organisation's Electronic Healthcare Records (EHR) system. Auditing data from your healthcare EHR organization include data for events related to accessing a patient's health records. Healthcare EHR auditing data can be used past the Microsoft 365 insider chance management solution to assist protect your organization from unauthorized access to patient information.

Setting up a Healthcare connector consists of the post-obit tasks:

  • Creating an app in Azure Active Directory (Azure Advertising) to access an API endpoint that accepts a tab-separated text file containing healthcare EHR auditing data.

  • Creating a text file with all the required fields as divers in the connector schema.

  • Creating a Healthcare connector instance in the Microsoft 365 compliance center.

  • Running a script to push healthcare EHR auditing data to the API endpoint.

  • Optionally, scheduling the script to run automatically to import the auditing information.

Earlier y'all set up the connector

  • The user who creates the Healthcare connector in Step 3 must exist assigned the Data Connector Admin office. This function is required to add connectors on the Data connectors page in the Microsoft 365 compliance center. This role is added by default to multiple office groups. For a list of these role groups, meet the "Roles in the security and compliance centers" section in Permissions in the Security & Compliance Center. Alternatively, an admin in your organisation can create a custom role group, assign the Information Connector Admin part, and then add together the advisable users as members. For instructions, encounter the "Create a custom role group" section in Permissions in the Microsoft 365 compliance centre.

  • Y'all need to determine how to recall or export the data from your organization's healthcare EHR system (on a daily ground) and create a text file that's described in Step 2. The script that you run in Step 4 will push the data in the text file to the API endpoint.

  • The sample script that you run in Step 4 pushes the healthcare EHR auditing information from text file to the connector API so that it can exist used past the insider chance direction solution. This sample script isn't supported nether whatever Microsoft standard back up programme or service. The sample script is provided Equally IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, whatever implied warranties of merchantability or of fitness for a detail purpose. The unabridged hazard arising out of the use or performance of the sample script and documentation remains with yous. In no outcome shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business organisation profits, business interruption, loss of business information, or other pecuniary loss) arising out of the apply of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.

Step 1: Create an app in Azure Agile Directory

The outset step is to create and register a new app in Azure Active Directory (Azure Ad). The app will correspond to the Healthcare connector that you create in Footstep 3. Creating this app allows Azure Advertisement to authenticate the push request for text file containing healthcare EHR auditing data. During the creation of this Azure Ad app, exist sure to salve the following information. These values will be used in later steps.

  • Azure Advertizement awarding ID (besides called the app Id or customer Id)

  • Azure AD awarding secret (too chosen the client secret)

  • Tenant Id (also called the directory Id)

For footstep-by-step instructions for creating an app in Azure AD, run across Register an application with the Microsoft identity platform.

Pace 2: Fix a text file with healthcare EHR auditing data

The next step is to create a text file that contains information about employees' access to patient health records in your organization's healthcare EHR organization. Equally previously explained, you need to determine how to generate this text file from your healthcare EHR system. The Healthcare connector workflow requires a text file with tab-separated values to map that data in the text file with required connector schema. The file format supported is a comma (.csv), pipe (.psv), or tab (.tsv) separated text file.

Note

The maximum size of the text file that contains the auditing data is three GB. The maximum number of rows is 5 million. Also, be sure to but include the relevant auditing information from your healthcare EHR system.

The following tabular array lists the fields that are required to enable insider risk management scenarios. A subset of these fields is mandatory. These fields are highlighted with an asterisk (*). If any of the mandatory fields are missing in the text file, the file won't exist validated and data in the file won't be imported.

Field Category
Cosmos Time*
Issue Name*
Workstation Id
Event Section
Upshot Category		 These fields are used to place access activeness events in your healthcare EHR organisation.
Patient Reg Id
Patient First Name*
Patient Centre Name
Patient Last Proper name*
Patient Address Line one*
Patient Address Line two
Patient Metropolis*
Patient Nix Lawmaking*
Patient State
Patient State
Patient Department		 These fields are used to identify patient profile data.
Restricted Access Reason*
Restricted Admission Comment		 These fields are used to identify access to restricted records.
Electronic mail Address (UPN) or SamAccountName*
Employee User Name
Employee Id
Employee Last Name 1
Employee First Name i 		These fields are used to identify employee profile information for accost and proper name matching required to determine admission to Family unit/Neighbour/Employee records.

Note

iThis field may not be available past default in your healthcare EHR system. You need to configure the export to ensure the text file contains this field.

Footstep 3: Create the Healthcare connector

The adjacent step is to create a Healthcare connector in the Microsoft 365 compliance center. After you run the script in Stride 4, the text file that you lot created in Step two will be processed and pushed to the API endpoint you gear up in Step 1. In this step, exist sure to re-create the JobId that's generated when you create the connector. Yous'll use the JobId when yous run the script.

  1. Go to https://compliance.microsoft.com and and then click Data connectors in the left nav.

  2. On the Overview tab, click Healthcare (preview).

  3. On the Healthcare (preview) folio, click Add connector.

  4. Accept the terms of service.

  5. On the Authentication credentials page, practise the post-obit and and so click Next:

    1. Type or paste the Azure AD application ID for the Azure app that y'all created in Step 1.

    2. Type a name for the healthcare connector.

  6. On the File mapping method folio, select one of the following options then click Next.

    • Upload a sample file. If you lot select this selection, click Upload sample file to upload the file that you prepared in Step 2. This pick allows yous to chop-chop select column names in your text file from a drop-down listing to map the columns to the required schema for the healthcare connector.

    Or

    • Manually provide the mapping details. If y'all select this option, yous have to type the name of the columns in your text file to map the columns to the required schema for the healthcare connector.

  7. On the File mapping details page, do one of the post-obit, depending on whether you uploaded a sample file or not in the previous step:

    • Use the dropdown lists to map the columns from the sample file to each required field for the healthcare connector.

    Or

    • For each field, type the column proper name from the file that you prepared in Step 2 that corresponds to the field for the healthcare connector.

  8. On the Review page, review your settings and and so click Terminate to create the connector.

    A condition page is displayed that confirms the connector was created. This page contains two important things that you need to complete the next step to run the sample script to upload your healthcare EHR auditing information.

    • Job ID. You'll demand this chore ID to run the script in the adjacent pace. Y'all can copy it from this page or from the connector flyout page.

    • Link to sample script. Click the here link to go to the GitHub site to access the sample script (the link opens a new window). Keep this window open so that you can copy the script in Step 4. Alternatively, you can bookmark the destination or copy the URL so y'all tin access it again when you run the script. This link is also available on the connector flyout folio.

  9. Click Done.

    The new connector is displayed in the list on the Connectors tab.

  10. Click the Healthcare connector that you merely created to display the flyout page, which contains properties and other information about the connector.

If you haven't already done and so, you tin re-create the values for the Azure App ID and Connector job ID. Yous'll demand these to run the script in the next pace. You tin can also download the script from the flyout page (or download it using the link in the adjacent pace.)

You tin likewise click Edit to change the Azure App ID or the column header names that yous defined on the File mapping page.

Pace four: Run the sample script to upload your healthcare EHR auditing data

The last step in setting up a Healthcare connector is to run a sample script that will upload the healthcare EHR auditing data in the text file (that you created in Step 1) to the Microsoft cloud. Specifically, the script uploads the data to the Healthcare connector. Later you run the script, the Healthcare connector that you created in Step three imports the healthcare EHR auditing data to your Microsoft 365 system where information technology tin be accessed by other compliance tools, such equally the Insider risk management solution. Later on you run the script, consider scheduling a chore to run it automatically on a daily basis so the near electric current employee termination data is uploaded to the Microsoft cloud. Run across (Optional) Step six: Schedule the script to run automatically.

Note

Every bit previously stated, the maximum size of the text file that contains the auditing data is 3 GB. The maximum number of rows is 5 1000000. The script that you run in this step will take about 30 to 40 minutes to import the auditing information from large text files. Additionally, the script volition divide large text files into smaller blocks of 100K rows, and and then import those blocks sequentially.

  1. Get to window that yous left open from the previous step to admission the GitHub site with the sample script. Alternatively, open up the bookmarked site or use the URL that you copied. You can too access the script here.

  2. Click the Raw button to brandish the script in text view.

  3. Copy all the lines in the sample script and then relieve them to a text file.

  4. Alter the sample script for your organization, if necessary.

  5. Save the text file as a Windows PowerShell script file by using a filename suffix of .ps1; for case, HealthcareConnector.ps1.

  6. Open up a Command Prompt on your local reckoner, and go to the directory where you saved the script.

  7. Run the post-obit command to upload the healthcare audit data in the text file to Microsoft deject; for instance:

                      .\HealthcareConnector.ps1 -tenantId <tenantId> -appId <appId>  -appSecret <appSecret>  -jobId <jobId>  -filePath '<filePath>'

The post-obit tabular array describes the parameters to utilize with this script and their required values. The information y'all obtained in the previous steps is used in the values for these parameters.

Parameter Clarification
tenantId This is the Id for your Microsoft 365 organization that you obtained in Step 1. You lot can also obtain the tenant Id for your organisation on the Overview bract in the Azure AD admin center. This is used to identify your organization.
appId This is the Azure Advert awarding Id for the app that you lot created in Azure Advert in Step 1. This is used past Azure AD for hallmark when the script attempts to access your Microsoft 365 organisation.
appSecret This is the Azure AD application secret for the app that you lot created in Azure AD in Step 1. This as well used for authentication.
jobId This is the task ID for the Healthcare connector that y'all created in Step iii. This is used to associate the healthcare EHR auditing data that are uploaded to the Microsoft deject with the Healthcare connector.
filePath This is the file path for the text file (stored on the same system as the script) that you created in Step 2. Try to avert spaces in the file path; otherwise apply unmarried quotation marks.

Here's an case of the syntax for the Healthcare connector script using actual values for each parameter:

              .\HealthcareConnector.ps1 -tenantId d5723623-11cf-4e2e-b5a5-01d1506273g9 -appId 29ee526e-f9a7-4e98-a682-67f41bfd643e -appSecret MNubVGbcQDkGCnn -jobId b8be4a7d-e338-43eb-a69e-c513cd458eba -filePath 'C:\Users\contosoadmin\Desktop\Data\healthcare_audit_records.csv'

If the upload is successful, the script displays the Upload Successful bulletin.

Step 5: Monitor the Healthcare connector

Afterward you create the Healthcare connector and push your EHR auditing data, you can view the connector and upload status in the Microsoft 365 compliance center. If y'all schedule the script to run automatically on a regular ground, y'all tin can besides view the electric current condition after the last time the script ran.

  1. Become to https://compliance.microsoft.com and click Data connectors in the left nav.

  2. Click the Connectors tab and then select the Healthcare connector to display the flyout page. This page contains the backdrop and data about the connector.

  3. Nether Last import, click the Download log link to open (or salvage) the condition log for the connector. This log contains data about each time the script runs and uploads the data from the text file to the Microsoft cloud.

    The RecordsSaved field indicates the number of rows in the text file that uploaded. For case, if the text file contains four rows, then the value of the RecordsSaved fields is 4, if the script successfully uploaded all the rows in the text file.

If you've haven't run the script in Stride four, a link to download the script is displayed under Last import. You can download the script and then follow the steps to run the script.

(Optional) Step 6: Schedule the script to run automatically

To make sure the latest auditing data from your healthcare EHR arrangement are available to tools like the insider risk management solution, we recommend that you schedule the script to run automatically on a daily basis. This besides requires that you update the EHR auditing data in the same text file on a similar (if not the same) schedule so that it contains the latest information virtually patient records access activities past your employees. The goal is to upload the most current auditing data so that the Healthcare connector can make information technology available to the insider hazard management solution.

You can utilize the Task Scheduler app in Windows to automatically run the script every day.

  1. On your local figurer, click the Windows Get-go push button then type Chore Scheduler.

  2. Click the Task Scheduler app to open up it.

  3. In the Actions section, click Create Task.

  4. On the General tab, type a descriptive proper noun for the scheduled task; for example, Healthcare connector script. You can too add an optional clarification.

  5. Under Security options, do the following things:

    1. Determine whether to run the script simply when you're logged on to the calculator or run it when y'all're logged on or not.

    2. Brand sure that the Run with the highest privileges checkbox is selected.

  6. Select the Triggers tab, click New, and so do the following things:

    1. Nether Settings, select the Daily option, and then choose a appointment and time to run the script for the first time. The script will run every day at the aforementioned specified time.

    2. Under Advanced settings, make sure the Enabled checkbox is selected.

    3. Click Ok.

  7. Select the Actions tab, click New, then practice the following things:

    Action settings to create a new scheduled task for the healthcare connector script.

    1. In the Activeness dropdown list, make sure that Starting time a program is selected.

    2. In the Programme/script box, click Scan, and go to the post-obit location and select it so the path is displayed in the box: C:.0.exe.

    3. In the Add arguments (optional) box, paste the aforementioned script command that yous ran in Step iv. For case, .\HealthcareConnector.ps1 -tenantId "d5723623-11cf-4e2e-b5a5-01d1506273g9" -appId "c12823b7-b55a-4989-faba-02de41bb97c3" -appSecret "MNubVGbcQDkGCnn" -jobId "e081f4f4-3831-48d6-7bb3-fcfab1581458" -filePath "C:\Healthcare\audit\records.txt"

    4. In the Start in (optional) box, paste the folder location of the script that you lot ran in Pace 4. For case, C:\Healthcare\audit.

    5. Click Ok to relieve the settings for the new action.

  8. In the Create Job window, click Ok to salve the scheduled task. Y'all might be prompted to enter your user account credentials.

    The new task is displayed in the Task Scheduler Library.

    The new task for the healthcare connector script is displayed in the Task Scheduler Library.

    The final fourth dimension the script ran and the next time it's scheduled to run is displayed. You can double-click the chore to edit it.

    You can also verify the last time the script ran on the flyout page of the corresponding Healthcare connector in the compliance center.