In order to facilitate review, log data needs to be stored securely for on-demand retrieval and historical analysis. Normally, a single Windows server can generate over 100,000 events every day without using the auditing feature. With the audit feature in operation, Windows servers, like many UNIX systems, SNMP devices and firewalls, can produce over one million events per day. It is not unusual for even a small organization to generate well over 20 million events every day. This information needs to be securely archived for IT controls and compliance. Although HIPAA does not specifically mandate that log data be stored for multiple years, industry best practices recommend a data retention policy of at least 6-12 months, in order to accommodate long-term investigation in case of a breach, as well as to assist with auditor interpretations.
One hundred Windows servers with an average number of 100,000 events each, means a total of 10 million events per day – and that is without auditing! If these events are kept for 90 days, it is necessary to manage and store 900 million events. Retained for 1 year, the archive would contain over 3.5 billion separate event records. This can translate into a significant storage burden, keeping in mind that one million events can take up to 5GB of space in a traditional database.
Many of the conditions that indicate issues can only be detected when events are correlated or associated with events happening on other systems and devices. If caught in time, these signs can alert personnel to take the necessary actions before security is compromised. Moreover, this analysis needs to be done in real-time for immediate insight into unusual and suspicious user/network activity – a task that is impossible to do manually, unless of course, a company has an army of IT experts at its disposal 24/7.
In order to quickly respond to suspected or ongoing security incidents, real-time alerting is critical. Without an automated solution in place, a user would have to manually access all systems one-by one, repeatedly to attend to any issues discovered.
Another challenge when collecting thousands of logs is to organize them in a way that is reflective of the regulation. Although HIPAA specifically asks for access reports and security incident reports, many times it is not possible to understand in advance what an auditor might require. It might very well be that huge volumes of information is requested or very specific information pertaining to certain servers, time periods, users or events is asked for as proof of adherence. Searching through log data in response to auditor questions can overwhelm even the most prepared organization if they do not have the appropriate technology in place.
Choosing the right solution for your HIPAA requirements
Look for an extensible collection engine, and a centralized console
Organizations, today, support a number of devices including firewalls, applications, databases, multiple operating systems etc. For a log management solution to be useful it must not only be able to collect event logs generated by a variety of disparate sources, but should also be able to capture log data from any custom application or system dealing with ePHI, and have the ability to quickly provide support for new devices. This collected data should be made available on an intuitive interface that centralizes reporting and analysis functions for rapid review across massive log volumes.
Applies to Requirements: I, II (See table 1 for mapping requirements)
Electronic Sign-off for closed loop operations
An automated log management solution must include support for closed loop operations where log collection, archiving, reporting are all supported. However, the matter does not end there. The solution must also support the workflow to permit IT staff to review automatically generated reports and sign-off on them in a tamper resistant manner. Auditors must be able to review the sign-off and associated comments easily, to establish adherence to review processes. Secure remote access for this feature will minimize operation costs and is desirable.
Applies to Requirements: I