In a 2006 survey on ‘the state of HIPAA privacy and security compliance’ conducted by the American Health Information Management Association, only 39% of hospitals and health systems reported full privacy compliance. Why are companies failing to comply? Importantly enough, the survey found that 55% of respondents identified resources as their most significant barrier to complete privacy compliance – Certainly, most healthcare organizations do not have dedicated security operation centers or staff to routinely and consistently audit event log data for successful compliance.

The challenge lies in the variety of data sources that exist across a network, different log formats and the massive volume of log data generated daily by a healthcare organization. Event log management and analysis for healthcare companies becomes all the more time-consuming and costly given the confidential nature of much of the information retained on their systems, multi-user workstations and the breadth and size of their networks. These challenges tax the limit of most available resources, resulting in inefficiencies and breaches.

Why manual processes don’t work

1. Collection and review

Database systems, critical applications, devices and multiple operating systems record a considerable amount of security data into local logs. At a bare minimum these logs need to be collected and archived in a central location for regular review in order to meet compliance. Given that log generation can run into the hundreds of thousands in number, and continuously grow, it is next to impossible to rapidly collect them as they are generated.


These logs contain valuable information that, if accessible can detect potential security issues before they impact patients. However, it is difficult, not to mention inefficient, to view logs one at a time and make sense of them. Message formats vary widely and system-specific expertise is required to garner any sort of intelligence from the mountain of data. Furthermore, because tens of thousands of different event IDs and types exist, no one expert can have complete knowledge.

2. Storage

In order to facilitate review, log data needs to be stored securely for on-demand retrieval and historical analysis. Normally, a single Windows server can generate over 100,000 events every day without using the auditing feature. With the audit feature in operation, Windows servers, like many UNIX systems, SNMP devices and firewalls, can produce over one million events per day. It is not unusual for even a small organization to generate well over 20 million events every day. This information needs to be securely archived for IT controls and compliance. Although HIPAA does not specifically mandate that log data be stored for multiple years, industry best practices recommend a data retention policy of at least 6-12 months, in order to accommodate long-term investigation in case of a breach, as well as to assist with auditor interpretations.

One hundred Windows servers with an average number of 100,000 events each, means a total of 10 million events per day – and that is without auditing! If these events are kept for 90 days, it is necessary to manage and store 900 million events. Retained for 1 year, the archive would contain over 3.5 billion separate event records. This can translate into a significant storage burden, keeping in mind that one million events can take up to 5GB of space in a traditional database.