The Case for Automated Log Management in Meeting HIPAA Compliance

The Impact of HIPAA
The Health Insurance Portability Accountability Act, better known as HIPAA, was passed in 1996 by the US Department of Health and Human Standards (HHS) to ensure the privacy and security of confidential patient health information. The Act mandates that all Covered Entities (CEs) must implement “reasonable and appropriate’ procedures for securing patient health information from security breaches, impermissible uses and/or disclosures, with severe penalties mandated to punish non-compliance.

In March, Atlanta’s Piedmont Hospital became the first institution in the country to be audited for compliance with the security rules of HIPAA. The audit was conducted by the office of the inspector general at HHS and is being seen by some in the healthcare industry as a precursor to similar audits to come at other institutions.

A number of HIPAA requirements are focused towards the integrity of electronic protected health information (ePHI) – any personally identifiable health information that is handled electronically, including:

  • Controlling access to ePHI
  • Monitoring and auditing access to ePHI
  • Diagnosing potential security problems
  • Retaining records of access for a set period of time
  • Demonstrating to independent reviewers the processes that fulfill the requirements above.

In the Piedmont case, it was reported that HHS asked for this type of information to be provided within 10 days. In the absence of automated log management systems that record and maintain this information, producing it became a very challenging, manual effort.

Log Management, specifically, can be directly applied to the following 7 HIPAA recommendations and requirements:

 

Requirement

Details

I

Review of Information System Activity § 164.308(1) (ii) (D)

Implementation of procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident reports

II

Protection from Malicious Software § 164.308(a)(5)(ii)(B)

 

Calls for procedures for guarding against, detecting and reporting on malicious software

III

Log-in Monitoring § 164.308(a)(5)(ii)(C)

 

Monitoring log-in attempts and reporting discrepancies

IV

Security Incident Procedures §164.308(a)(6)(ii)

 

Implementation of methods to identify and respond to suspected or known security incidents; mitigate to the extent practicable

V

Audit Controls § 164.312(b)

 

Implementation of hardware, software and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI

VI

Integrity & Authentication of ePHI § 164.312(c)(1) and (2)

 

Electronic measures to corroborate that ePHI has not been altered or destroyed in an unauthorized or improper manner

VII

Person or Entry Authentication § 164.312(d)

 

Procedures to verify that a person or entity seeking access to ePHI is the claimed.

In order to successfully meet the above requirements, HIPAA specifically calls out event logs as an important vehicle to meet compliance and requires CEs to collect, analyze, preserve, alert and report on system and application security event logs generated by all relevant systems.

In fact, many other regulatory mandates and best-practice processes also recommend regularly reviewing log data in order to achieve complete network transparency and diagnose potential security problems. Apart from helping with compliance, this also benefits healthcare organizations by providing patients with the confidence that their most sensitive data is secure and protected from misuse.

Can this be achieved without an automated log management solution in place? The answer to that is “possibly’, but especially at the larger CEs, at a considerable risk of information breach and audit failure.

In a 2006 survey on “the state of HIPAA privacy and security compliance’ conducted by the American Health Information Management Association, only 39% of hospitals and health systems reported full privacy compliance. Why are companies failing to comply? Importantly enough, the survey found that 55% of respondents identified resources as their most significant barrier to complete privacy compliance – Certainly, most healthcare organizations do not have dedicated security operation centers or staff to routinely and consistently audit event log data for successful compliance.

The challenge lies in the variety of data sources that exist across a network, different log formats and the massive volume of log data generated daily by a healthcare organization. Event log management and analysis for healthcare companies becomes all the more time-consuming and costly given the confidential nature of much of the information retained on their systems, multi-user workstations and the breadth and size of their networks. These challenges tax the limit of most available resources, resulting in inefficiencies and breaches.

Why manual processes don’t work
1. Collection and review
Database systems, critical applications, devices and multiple operating systems record a considerable amount of security data into local logs. At a bare minimum these logs need to be collected and archived in a central location for regular review in order to meet compliance. Given that log generation can run into the hundreds of thousands in number, and continuously grow, it is next to impossible to rapidly collect them as they are generated.

These logs contain valuable information that, if accessible can detect potential security issues before they impact patients. However, it is difficult, not to mention inefficient, to view logs one at a time and make sense of them. Message formats vary widely and system-specific expertise is required to garner any sort of intelligence from the mountain of data. Furthermore, because tens of thousands of different event IDs and types exist, no one expert can have complete knowledge.

2. Storage
In order to facilitate review, log data needs to be stored securely for on-demand retrieval and historical analysis. Normally, a single Windows server can generate over 100,000 events every day without using the auditing feature. With the audit feature in operation, Windows servers, like many UNIX systems, SNMP devices and firewalls, can produce over one million events per day. It is not unusual for even a small organization to generate well over 20 million events every day. This information needs to be securely archived for IT controls and compliance. Although HIPAA does not specifically mandate that log data be stored for multiple years, industry best practices recommend a data retention policy of at least 6-12 months, in order to accommodate long-term investigation in case of a breach, as well as to assist with auditor interpretations.

One hundred Windows servers with an average number of 100,000 events each, means a total of 10 million events per day – and that is without auditing! If these events are kept for 90 days, it is necessary to manage and store 900 million events. Retained for 1 year, the archive would contain over 3.5 billion separate event records. This can translate into a significant storage burden, keeping in mind that one million events can take up to 5GB of space in a traditional database.

3. Analysis
Many of the conditions that indicate issues can only be detected when events are correlated or associated with events happening on other systems and devices. If caught in time, these signs can alert personnel to take the necessary actions before security is compromised. Moreover, this analysis needs to be done in real-time for immediate insight into unusual and suspicious user/network activity – a task that is impossible to do manually, unless of course, a company has an army of IT experts at its disposal 24/7.

4. Alerting
In order to quickly respond to suspected or ongoing security incidents, real-time alerting is critical. Without an automated solution in place, a user would have to manually access all systems one-by one, repeatedly to attend to any issues discovered.

5. Reporting
Another challenge when collecting thousands of logs is to organize them in a way that is reflective of the regulation. Although HIPAA specifically asks for access reports and security incident reports, many times it is not possible to understand in advance what an auditor might require. It might very well be that huge volumes of information is requested or very specific information pertaining to certain servers, time periods, users or events is asked for as proof of adherence. Searching through log data in response to auditor questions can overwhelm even the most prepared organization if they do not have the appropriate technology in place.

Choosing the right solution for your HIPAA requirements

Look for an extensible collection engine, and a centralized console
Organizations, today, support a number of devices including firewalls, applications, databases, multiple operating systems etc. For a log management solution to be useful it must not only be able to collect event logs generated by a variety of disparate sources, but should also be able to capture log data from any custom application or system dealing with ePHI, and have the ability to quickly provide support for new devices. This collected data should be made available on an intuitive interface that centralizes reporting and analysis functions for rapid review across massive log volumes.

Applies to Requirements: I, II (See table 1 for mapping requirements)

Electronic Sign-off for closed loop operations
An automated log management solution must include support for closed loop operations where log collection, archiving, reporting are all supported. However, the matter does not end there. The solution must also support the workflow to permit IT staff to review automatically generated reports and sign-off on them in a tamper resistant manner. Auditors must be able to review the sign-off and associated comments easily, to establish adherence to review processes. Secure remote access for this feature will minimize operation costs and is desirable.

Applies to Requirements: I

Insure secure storage
Look for a solution that offers compressed secure tamper-proof storage that does not require costly database licenses or administrators. The solution chosen should also be able to store data in its entirety for a complete audit trail that describes the entire history of an event. This is essential for examining detailed historical activity of access to or modification of critical data.

Applies to Requirements: I, IV, V, VI

The importance of real-time correlation and alerting
It is not enough for a solution to collect logs – a robust log management product should enable powerful real-time monitoring and rules-based alerting on the event stream. Rules can watch for seemingly minor unrelated events occurring on multiple systems across time that together represent clear indications of an impending security breach. For instance, multiple failed logins across all systems with a single remote IP address, or multiple unsuccessful login attempts to different accounts on a single system, are signs of a hack attempt. With real-time alerting, IT and security staff can be notified immediately when a suspicious activity is discovered, for quick remediation, before confidential patient information is impacted.

Applies to Requirements: I, II, III, V

Integrated reporting is a must
Choose a solution that come integrated with pre-defined report templates typically required by regulatory mandates and standards. Ensure that custom reporting is provided for quickly responding to auditor queries of information, demonstrating a log review process and adherence to multiple requirements

Applies to Requirements: All

Ask for change management capabilities
Look for a log management solution that delivers change and configuration management, key components for regulatory compliance and security management. These capabilities automate regular scanning of registry hives and configuration settings, which are then compared with initial assessments of the IT environment to reveal any critical changes such as prohibited and infected files and applications.

Applies to Requirements: II

Insist on Role-Based Access
Because log data contains sensitive information, especially in the case of healthcare organizations, access must be limited to authorized persons to minimize misuse. A log management solution must be able to restrict access to data according to corporate policies, assigned roles and privileges.

Applies to Requirements: VII

Conclusion
The right log management solution, used in conjunction with internal procedures and policies, provides CEs with the capability to have a strong, yet cost effective compliance strategy in place, and to easily demonstrate adherence to external auditors. Managing log data manually, although possible, is an extremely labor intensive activity that not only puts an immense amount of stress on existing resources, but has the ability to detract from other processes and put huge holes in IT budgets. Not to mention, manual processes are subject to human inefficiencies which can translate to thousands of dollars in liability for non-compliance, remediation and other related expenses.