Auditing and logging are an important part of the HIPAA Security Rule, but the rule contains no specifics on this requirement. According to HIPAA Security Rule – 164.312(b):“Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.” The closest we get to any specifics is that we should have: “Procedures for monitoring log in attempts and reporting discrepancies.”
Because this is vague, we often hear people say that HIPAA either doesn’t require very rigorous monitoring or that its requirements are at best minimal. However HIPAA being vague actually requires a little more rigor, based on the requirements above HIPAA is saying that all access, both success and failures, to electronic protected health information (ePHI) should be monitored and logged and be accessible in the case of a breach. You should be able to go back to your logs and investigate what data was accessed, conduct forensics to try to figure out how that data was accessed in an unauthorized way and who may have been the person or entity that accessed it, and determine if/how data was altered. HIPAA covered entities and business associates should be able to determine who, what, when, and how the ePHI was accessed.
The first step in doing this is to know where your ePHI lives. Is it in flat files on home drives, like word files or excel spreadsheets? Is it in an electronic health records program? Is it in a database such as Microsoft SQL? Then we need to review how these files are accessed. Through file shares? Through a front end application? A web portal? Is the access only from the on premise network, or is it across the internet? Is there remote access involved? Is it via a VPN or a VDI host? Then we need to look at devices and systems that secure this data, firewalls, IDS/IPS, end point protection. Having all of that mapped out we now know what should be monitored for at a minimum as HIPAA says “log-in attempts and reporting discrepancies”.
Next we need to put context around these logs, we could easily be seeing over 10,000 logs a day or more how do we determine what of those logs are critical and need to be investigated versus logs that just need to be maintained? How do we secure and retain these logs as they build over time? Usually this would require a few full-time employees dedicated to tuning the system, monitoring the logs and responding to incidents. Another option is to use a 3rd party to perform this for you. A managed security services provider (MSSP) that manages security operations centers (SOCs) is an option.
However you decide to do it there is no question that both covered entities and business associates are required to perform monitoring and alerting and that its vital to maintaining the ability to secure your patients or your customers protected health information.