It's the first Monday of the month. Can you show me the audit report?
AGENT · CLINICAL SYSTEM AUDIT
Clinical systems go through periodic audit for privacy and traceability.
Clinical System Audit runs a monthly audit of the healthcare facility's clinical systems (HIS, LIS, RIS, EHR, FSE 2.0 integration). It checks GDPR Art. 9 privacy requirements, traceability of clinical decisions, MDR compliance for software classified as medical devices. Every decision is traced.
Clinical System Audit at work.
October 2025 report. Systems checked: HIS, LIS, RIS, EHR, FSE 2.0. Anomalies: 2 out-of-hours access to patient records (nursing staff, 02:12 and 02:47). 1 degraded encryption configuration on LIS service (AES-256 → AES-128, unauthorised). 3 FSE 2.0 records with incomplete logs. Criticality: 1 high (LIS), 2 medium (accesses), 1 low (FSE logs).
I'll start the procedures for the three anomalies. Thank you.
Why it exists.
A mid-large healthcare facility runs many clinical systems: HIS, LIS, RIS, EHR, FSE 2.0 integration, department-specific systems. Each system handles sensitive data under GDPR Art. 9 and carries specific regulatory requirements. Periodic audit required by GDPR, MDR, and regional regulations is today a manual exercise coordinated between IT, the DPO, and the clinical lead.
How it works each month.
Clinical System Audit activates on a monthly schedule (or more frequently for critical systems). For each configured clinical system it reads access logs and security configurations, compares against the baselines declared by the compliance team, and identifies anomalies. The volume and complexity that make a thorough audit hard to sustain manually become manageable.
The decision stays with the DPO and clinical lead.
The agent runs the automated periodic audit and identifies anomalies based on the configured baselines. The decision on how to handle anomalies — internal disciplinary action, notification to the regulator, technical remediation — stays with the DPO and clinical lead under the facility's procedures.
DPO, clinical lead, and IT manager.
Facility DPO
The DPO reclaims the time spent on manual clinical systems audit. The capacity concentrates on cases that require judgement — the identified anomalies, not the data collection to find them. Procedures start from structured lists, not from sample analysis.
Weekly audit 4 systems
HIS · accesses OK
LIS · reports OK
EHR · traceability VERIFY
RIS · privacy OK
1 anomaly · alert to healthcare authority lead
Clinical lead
The clinical lead has structured visibility on the quality of clinical data management. The risk of a data breach or GDPR/MDR non-compliance shifts from a diffuse risk to identified anomalies, each linked to the baseline that produced it.
fnol.receive 09:14:22 ALLOW
triage.classify 09:14:25 ALLOW
idd.check 09:14:31 WARN
liquidation.propose 09:15:02 ALLOW
SELECT * FROM audit_log WHERE claim_id = '2024-0847'
IT manager
The IT manager receives structured remediation actions. Clinical systems vulnerability management enters the monthly operational flow, instead of relying on reactive post-incident efforts.
outpatient visit · 18:24
«the patient reports exertional dyspnoea for about two months…»
I50.9 Heart failure, unspecified
R06.0 Dyspnoea
EHR populated · physician signature required
Monthly audit of five clinical systems.
The agent activates on the first Monday of every month.
For a mid-size private hospital with 5 main clinical systems (HIS, LIS, RIS, EHR, FSE 2.0 integration), the agent is scheduled on the first Monday of every month. It reads logs and configurations of the 5 systems for the previous month and compares against the baselines declared by the DPO and clinical lead.
Three anomalies, classified by criticality.
The agent identifies three anomalies: 2 out-of-hours accesses to patient records not covered by on-call duties (nursing staff on patients not assigned to the night shift), 1 degraded encryption configuration on a LIS service (unauthorised change by the security team), 3 FSE 2.0 records with incomplete logs (missing author reference for automated integration changes).
The DPO starts the procedures; the event stays in the audit registry.
The summary reaches the DPO and clinical lead on the first Monday of the month on the work channel. The DPO starts the procedures: motivation request to staff for the out-of-hours accesses, technical remediation to the IT team for LIS encryption, FSE 2.0 integration fix. The full event stays in the runtime audit registry for GDPR Art. 9, MDR, and regional or AGENAS inspection audit.
Declarative baselines, clinical systems in delivery.
The Clinical System Audit rules are declarative. The DPO, clinical lead, and IT manager define in a readable format the privacy baselines (permitted access patterns, authorisations by role), the technical security baselines (encryption, authentication, log schema), the traceability requirements (FSE 2.0 log schema, MDR log schema). The rules live in the customer's repository, versioned, validated at agent startup.
Integration with clinical systems (HIS, LIS, RIS, FSE 2.0) is delivered via a dedicated adapter during the project by the Exelab team. Clinical systems are highly heterogeneous across facilities — technical integration feasibility for audit depends on the specific system and is defined during discovery.
- Language
- TypeScript (Node.js)
- LLM model
- customer's choice: Anthropic, OpenAI, Mistral, open source models hosted internally, AWS Bedrock for a private model
- Built-in controls used
- pii-detector, credential-detector, topic-guardrail, tool-rate-limit
- Native delivery channels
- Slack, Telegram, OpenAI-compatible HTTP
- Clinical systems integration (HIS, LIS, RIS, FSE 2.0)
- dedicated adapter delivered during the project (proprietary systems, regional solutions, FSE 2.0 integrations)
- Privacy + security + traceability baselines
- declarative, versioned, written by DPO + clinical lead + IT
- Memory
- persistent per instance, pgvector + PostgreSQL FTS on historical patterns
- Registry
- append-only, queryable with a standard SQL client (GDPR Art. 9, MDR, FSE 2.0 audit inspectable)
Frequently asked questions about the agent.
No. The agent runs the automated periodic audit and identifies anomalies based on the configured baselines. The decision on how to handle anomalies — internal disciplinary action, notification to the regulator, technical remediation — stays with the DPO and clinical lead under the facility's procedures.
When an anomaly falls within the patterns that require formal notification to the regulator (significant data breach under GDPR Art. 33), the agent flags the pattern with the applicable procedure. The decision to notify the regulator stays with the DPO under the facility's incident management procedures.
Clinical systems are highly heterogeneous: HIS, LIS, RIS, and FSE 2.0 vary by facility (proprietary systems, regional solutions, national system integrations). Integration is delivered via a dedicated adapter during the project by the Exelab team. The most common integration patterns are defined during the commercial discovery phase.
The typical pattern for Clinical System Audit is 14-20 weeks. Discovery 3-4 weeks, baseline and rule writing with DPO + clinical lead + IT 5-7 weeks, clinical systems integration 5-7 weeks, hand-off 2-3 weeks.
From a 30-minute conversation to the squad in production.
A 30-45 minute conversation to understand how Clinical System Audit would configure to the facility's case. Which clinical systems, which privacy and security baselines, which audit frequency.