How It Happened — The Critical Evidence Of HIPAA Logs
by Stephen Trout
If you’re like me, you’ve watched more than a few “Cold Case” or “How it Happened” re-enactments in your time. If you’re my wife, you’ve watched a whole lot more.
In either case, you’ll recall that dramatic moment when the determined investigators march into the evidence room and pull the dust-covered, archived box of case exhibits from the shelf.
They lift the lid and carefully comb through the contents — lock of hair, blood-stained glove, spent bullet casing — mining the old evidence for new clues.
A half-hour later, all the pieces of the puzzle fit together — and Eureka! — the mystery is solved.
If only real-life cases were so easy!
No doubt, that deep dive into the evidence box was pivotal; without it, there’d be no trail of breadcrumbs to follow, no previously smoking guns to examine — and alas, no show to film!
It makes perfect sense to us, then, why archives of evidence are kept — often for many years. They’re indispensable for piecing together a story, solving a crime, and hopefully, bringing the bad guys to justice.
A Trail of Logs
It’s true: most healthcare breaches don’t rise to the level of a murder case — though some do.
It remains a sad fact:
Breaches are an assault against patients and businesses. The average healthcare data breach now costs $9.42 Million.
It’s for such reasons that HIPAA Security Standard §164.306 mandates the implementation of technologies and procedures to “collect and regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.”
No, these detailed audit logs won’t consist of a box of paper files left on a shelf to collect dust — not for electronically protected records.
Rather, an automated digital record of sequentially logged system events — an audit trail — will be kept and carefully protected to help reveal the factors which led to a system breach.
Like Sargent Friday’s journal from the old Dragnet series, with logs at your disposal, you’ll have a detailed record of who did what to which data, and when (“It was Friday, 10:33 pm…”).
What Audit Trails Entail
Logs of system activity serve as important puzzle pieces, then, to complete the “system activity picture” — exhibits to help solve the mystery of what (and who) may be threatening your environment and patient data.
It should go without saying — but we’ll say it anyway — that only authorized users with unique ids should have access to electronically protected health information. This is a fundamental tenet of HIPAA’s Administrative Safeguards, and its adherence can be verified by logs.
This means, for example, that if Joe Shady somehow manages to sign in at 10:33 pm — and he’s not an authorized user — a red flag will be raised and recorded.
On that note: It’s poor practice to condone unauthorized users having access, simply for the sake of convenience! The Principle of Least Privilege should be in play, granting only those access privileges needed to those who are authorized to complete a given task.
In addition, maintaining a record of access has legal implications as well: in the event that a breach has already occurred or is alleged to have occurred, the covered entity must be able to produce this information when subpoenaed.
With logs, suspected abusers can often be confirmed or absolved; further, if a potential “insider” culprit knows there is a record that could lead back to them, they might be less likely to commit the crime in the first place!
Here then are recommended items for logging/auditing:
- System and network access information (which user, with a corresponding timestamp)
- Any actions that were taken by a superuser account (root or Admin)
- New user account creation
- Invalid or failed login attempts
- Installation/removal of any software, or system configuration options
- Any security event or malicious software activity
- Attempted breach of data
- Logfile creation or editing, or attempts to delete the logs themselves
Armed with this critical evidence, crucial questions can now be answered: How was a breach attempted? What was the extent of the damage, if any? Who was responsible?
Once the above information has been secured, it is imperative that these logs be configured so they cannot be altered. Logs must also be reviewed frequently to ensure that they are functioning properly.
Finally, HIPAA regulations mandate that records of any interaction with patient PHI and personally identifiable information (PII) are to be retained for six years (HIPAA Vault keeps them for seven).
SIEM Reviews and Correlation
Since HIPAA regulations require these internal audits to be performed regularly, periodic reviews of logs may help diagnose where bottlenecks and weak spots are in the process tree.
However, collecting server security information and event management (SIEM) data can be daunting, as the sheer volume of information on most servers can reach hundreds of gigabytes or more.
Clearly, this can create serious headaches in terms of data collection and normalization (producing readable data), as well as decreased velocity (the speed at which logs are produced, and are accessible), and veracity (accuracy).
The good news is that HIPAA Vault meets these HIPAA-compliant cloud hosting requirements as part of our fully-managed services, leveraging powerful tools to provide a proven, personalized approach to your system’s vital infrastructure and security requirements.
SIEM Benefits include:
- 24/7 monitoring, ensuring real-time data integrity and system security
- Comprehensive event logging, effectively mining your server logs for system activity
- Correlation of data, creating a searchable index for log files and trend analysis
- Longevity of storage, providing ease of accessibility and retention of archived logs
Continuous monitoring of system events works round the clock to protect sensitive data and ensure the integrity of your system. Data is correlated in a central repository, simplifying log analysis and auditing with searchable indexes.
In addition, external security threats are identified and logged, allowing for effective reporting and blocking.
Fully-Managed Logs as a Proactive Resource
This, then, is the real power of log creation: Logs display system access activity in order to help determine regular and irregular access patterns and activities.
But to expect the healthcare provider to manage these logs and review them on a regular basis would be beyond their ability and scope. In addition, it would consume time that would be better spent on patient care.
As an integral part of the HIPAA Vault’s fully managed and compliant hosting service, log files are provided and regularly reviewed by system administrators to determine if current security measures are sufficient to maintain the integrity of our consumer’s resources and information.
If any changes need to be researched and applied, this will be undertaken to better secure our consumer’s protected information.
Finally, this means that logs are much more than mere reactive tools — records only to be consulted “after the fact.”
Used properly, logs actually help prevent a breach by alerting administrators to suspicious and potentially damaging activity — because no one wants to be left with a “cold case,” wondering how a breach could’ve happened.
If you have any questions on HIPAA Vault’s fully managed logging — or any of our affordable, compliant solutions for healthcare — please contact us! 760–290–3460.