Review of Information System Activity § 164.308(1) (ii) (D)
Implementation of procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident reports
Protection from Malicious Software § 164.308(a)(5)(ii)(B)
Calls for procedures for guarding against, detecting and reporting on malicious software
Log-in Monitoring § 164.308(a)(5)(ii)(C)
Monitoring log-in attempts and reporting discrepancies
Security Incident Procedures §164.308(a)(6)(ii)
Implementation of methods to identify and respond to suspected or known security incidents; mitigate to the extent practicable
Audit Controls § 164.312(b)
Implementation of hardware, software and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI
Integrity & Authentication of ePHI § 164.312(c)(1) and (2)
Electronic measures to corroborate that ePHI has not been altered or destroyed in an unauthorized or improper manner
Person or Entry Authentication § 164.312(d)
Procedures to verify that a person or entity seeking access to ePHI is the claimed.
In order to successfully meet the above requirements, HIPAA specifically calls out event logs as an important vehicle to meet compliance and requires CEs to collect, analyze, preserve, alert and report on system and application security event logs generated by all relevant systems.
In fact, many other regulatory mandates and best-practice processes also recommend regularly reviewing log data in order to achieve complete network transparency and diagnose potential security problems. Apart from helping with compliance, this also benefits healthcare organizations by providing patients with the confidence that their most sensitive data is secure and protected from misuse.
Can this be achieved without an automated log management solution in place? The answer to that is ‘possibly’, but especially at the larger CEs, at a considerable risk of information breach and audit failure.
In a 2006 survey on ‘the state of HIPAA privacy and security compliance’ conducted by the American Health Information Management Association, only 39% of hospitals and health systems reported full privacy compliance. Why are companies failing to comply? Importantly enough, the survey found that 55% of respondents identified resources as their most significant barrier to complete privacy compliance – Certainly, most healthcare organizations do not have dedicated security operation centers or staff to routinely and consistently audit event log data for successful compliance.
The challenge lies in the variety of data sources that exist across a network, different log formats and the massive volume of log data generated daily by a healthcare organization. Event log management and analysis for healthcare companies becomes all the more time-consuming and costly given the confidential nature of much of the information retained on their systems, multi-user workstations and the breadth and size of their networks. These challenges tax the limit of most available resources, resulting in inefficiencies and breaches.
Why manual processes don’t work
1. Collection and review
Database systems, critical applications, devices and multiple operating systems record a considerable amount of security data into local logs. At a bare minimum these logs need to be collected and archived in a central location for regular review in order to meet compliance. Given that log generation can run into the hundreds of thousands in number, and continuously grow, it is next to impossible to rapidly collect them as they are generated.
These logs contain valuable information that, if accessible can detect potential security issues before they impact patients. However, it is difficult, not to mention inefficient, to view logs one at a time and make sense of them. Message formats vary widely and system-specific expertise is required to garner any sort of intelligence from the mountain of data. Furthermore, because tens of thousands of different event IDs and types exist, no one expert can have complete knowledge.