Introduction
A security-first approach means that a regular assessment of application vulnerabilities is a key part of providing the highest levels of data security for PHI from electronic health and medical records. It's also key to preventing accidental HIPAA violations. Proper HIPAA log risk management is used for anomaly detection and forensic analysis.
HIPAA Log Requirements
In order to ensure that confidentiality, integrity and availability of Protected Health Information (PHI) is HIPAA compliant, an organization should keep audit logs for all activities. A well-documented audit trail as well as a log of all activity will help document breaches, and reviewing the logs on an ongoing basis it can also help prevent them. The U.S. Department of Health and Human Services (HHS) has set guidance on audit controls and logs. Application audit trails monitor and log user activities including any files that are created, read, edited, or deleted with respect to Electronic Health Records (EHR). Any system should also log successful or unsuccessful log-on attempts, ID/username, log-on/off date and time events, type of device, application accessed, and authentication method. The logs should also include any other activities such as commands executed by the user and any resources accessed.
These logs will establish access patterns for the employees and contractors in any organization, and it will be possible to detect unauthorized access by stolen login credentials.
To meet HIPAA audit log requirements, it is best to track:
- User logins
- Database changes
- Moves, adds and changes of users
- User access levels and files accessed
- Logins to operating systems, firewalls and anti-malware
These requirements are for protecting PHI, but organizations must track access to paper PHI to ensure compliance using a sign in/sign process for paper files.
HIPAA Log Retention Requirements
There is a lot of confusion around log retention requirements and conflicting information in HHS bulletins. In general, the HIPAA log retention policy is six years; however, some states require even longer. Check with the state laws where the PHI data is maintained. If the state law is longer than six years, then adhere to the state law. The limits of the systems of a Business Associate, as well as the requirements of the Covered Entity, should also be considered as internal audit policies may require even more than six years for log retention.
HIPAA Risk Assessment Requirements
The requirement for conducting HIPAA security risk assessments was first introduced in 2003 and extended to the HITECH Act of 2009. A record $5.5 million fine was assessed against Advocate Health Care Network for failing to identify risks, so the penalties can be expensive.
No specific risk analysis methodology is mandated by the HHS; Covered Entities and Business Associates are all different. HHS recommends the identification of potential risks and vulnerabilities of all PHI. Risk assessments should be completed on at least an annual basis as new technology and organizational practices often changed.
The HHS suggests that the following should be included in a HIPAA security risk assessment:
- Document where PHI is stored, received, maintained or transmitted
- Document potential threats and vulnerabilities
- Assess security policies and procedures for protecting PHI and if used properly
- Assess the likelihood of a threat
- Assess the potential impact of a PHI breach
- Assign risk levels for vulnerability
- Take action where necessary and document it all for possible audit
HIPAA Vulnerability Scan Requirements
HIPAA rules do not require vulnerability scans or penetration testing, although they are more important than ever. However, as discussed above, a risk assessment is required, and vulnerability scans and penetration testing are two important tools for risk assessments. Since hacking in healthcare is so prevalent, it makes good sense to perform these tests. The U.S.'s NIST organization also recommends vulnerability scans and penetration testing, if reasonable and appropriate for your organization. These tools will help document any issues and speed remediation.
Giva's HIPAA Vulnerability Management
- Monthly third-party vulnerability and penetration scan
- Security team reviews scan results
- Remediation of all threats found
- Partner with Trustwave for extended validation
- Whitelists on IDS/IPS and Web Application Firewalls to ensure vulnerability scanners have enhanced view into infrastructure
- Timely infrastructure patching to ensure all security updates are applied
- Security research for proactive notification of potential threats
- HIPAA compliance assessment
Giva's Comprehensive Logging
- HIPAA-compliant logging
- Tripwire Enterprise security solutions
- File Integrity Monitoring to detect changes to system files preventing back doors and root kits
- Log offloading into external log servers to prevent attackers from "covering their tracks"
- Enhanced retention of firewall, web app firewall, and event logs
- Dual factor authentication with extended logging for remote users
