Browse archive

Latest news

Fighting cybercrime is on the right track

Google set to upgrade its SSL certs

IT security pros have trouble communicating with executives

Zeus variants are back with a vengeance

Facebook phishers target Fan Pages owners

Killer apps: The performance of networked applications

Is it time to professionalize information security?

Google researcher reveals another Windows 0-day

Twitter finally offers 2-factor authentication

DHS employees' info possibly compromised due to system flaw

Teens are into online sharing, but are also more privacy-aware

The dangers of downloading software from unofficial sites

Microsoft decrypts Skype comms to detect malicious links

Review: Logging and Log Management

Hacking charge stations for electric cars

The Case for Automated Log Management in Meeting HIPAA Compliance

by A.N. Ananth - Prism Microsystems CEO - Wednesday, 28 November 2007.

Log Management, specifically, can be directly applied to the following 7 HIPAA recommendations and requirements:

	Requirement	Details
I	Review of Information System Activity § 164.308(1) (ii) (D)	Implementation of procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident reports
II	Protection from Malicious Software § 164.308(a)(5)(ii)(B)	Calls for procedures for guarding against, detecting and reporting on malicious software
III	Log-in Monitoring § 164.308(a)(5)(ii)(C)	Monitoring log-in attempts and reporting discrepancies
IV	Security Incident Procedures §164.308(a)(6)(ii)	Implementation of methods to identify and respond to suspected or known security incidents; mitigate to the extent practicable
V	Audit Controls § 164.312(b)	Implementation of hardware, software and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI
VI	Integrity & Authentication of ePHI § 164.312(c)(1) and (2)	Electronic measures to corroborate that ePHI has not been altered or destroyed in an unauthorized or improper manner
VII	Person or Entry Authentication § 164.312(d)	Procedures to verify that a person or entity seeking access to ePHI is the claimed.

In order to successfully meet the above requirements, HIPAA specifically calls out event logs as an important vehicle to meet compliance and requires CEs to collect, analyze, preserve, alert and report on system and application security event logs generated by all relevant systems.

In fact, many other regulatory mandates and best-practice processes also recommend regularly reviewing log data in order to achieve complete network transparency and diagnose potential security problems. Apart from helping with compliance, this also benefits healthcare organizations by providing patients with the confidence that their most sensitive data is secure and protected from misuse.

Can this be achieved without an automated log management solution in place? The answer to that is ‘possibly’, but especially at the larger CEs, at a considerable risk of information breach and audit failure.