/
GSoC 2026 Project Proposal: Extend Audit Log Module in OpenMRS

GSoC 2026 Project Proposal: Extend Audit Log Module in OpenMRS

1. Project Overview

During GSoC 2025, the Audit Log Web Module was developed to integrate Hibernate Envers into OpenMRS 2.7.0+. This allowed for the tracking of Create, Update, and Delete (CUD) operations. While this established a strong foundation, the current implementation only covers a fraction of the auditing requirements needed for international EMR compliance (such as HIPAA in the US or GDPR in Europe).

The goal for this year is to transition the Audit module from a “change tracker” to a comprehensive security and compliance tool by implementing “Read” auditing and tracking critical system-level events.

2. The Problem

Currently, the module doesn’t capture several critical actions

  • View Access: module captures who edited a patient’s record, but it does not show who only viewed it.

  • System Security: login attempts/failures, account lockouts, and session timeouts are not logged.

  • Administrative Actions: changes to global properties, module installations, and data exports are not captured.

3. Proposed Key Features for GSoC 2026

3.1 Read (View) Auditing

The module will be enhanced to capture read/view access events, current module capture the create and edit events. but does not capture the view events.

3.2 User & Session Security Auditing

To strengthen system-level security auditing, the following authentication and session events should be logged,

  • system start and stop

  • user login

  • user logout

  • session timeout (including inactivity and F10 forced logout)

  • account lockout

  • Node authentication failure

3.3 Patient & Clinical Workflow Auditing

Beyond basic CUD tracking, the module will log

  • patient record viewed

  • patient record created

  • patient record updated

  • patient record deleted

  • scheduling events (create/update/cancel appointments)

  • clinical queries executed

  • orders placed, modified, or discontinued

  • signature created and validated

3.4 Security Administration Events

  • security administration events

  • installing new versions, upgrades, and system configuration changes

  • loading new versions of codes and knowledge bases

  • changes to the system date and time

4. Technical Requirements & Skills

  • Java, Spring, Spring Events, Spring AOP & Hibernate: Deepening the use of Interceptors or Spring AOP for read-tracking.

  • OpenMRS Core: Understanding the authentication and authorization workflows.

  • REST API: Expanding the existing auditlogweb endpoints.

5. References & Inspiration