HIPAA Security Audit Controls and Audit Logs

Audit Controls

HIPAA Audit Controls and Audit Logs

Today I am breaking down the one of the Technical Safeguard standards,  Audit Controls45 § 164.312(b), into byte-size portions to help you understand how it is significant to your organization. Audit Logs are 

The HIPAA Security Rule provision on requires regulated entities to:

Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.

Audit Controls - What Are They?

 

The majority of information systems provide some level of audit controls with a reporting method, such as audit logs. These controls are useful for recording and examining information system activity which also includes users and applications activity.

Audit controls that produce audit reports work in conjunction with audit logs and audit trails. Audit logs and trails assist regulated entities with reducing risk associated with: reviewing inappropriate access; tracking unauthorized disclosures of ePHI; detecting performance problems and flaws in applications; detecting potential intrusions and other malicious activity; and providing forensic evidence during investigation of security incidents and breaches. As part of this process, regulated entities should consider which audit tools may best help them with reducing non-useful information contained in audit records, as well as with extracting useful information.

Audit Logs and Audit Trails - What Are They?

According to the National Institute of Standards and Technology (NIST), audit logs are records of events based on applications, users, and systems, and audit trails involve audit logs of  applications, users, and systems. Audit trails’ main purpose is to maintain a record of system activity by application processes and by user activity within systems and applications.

Regulated entities should make sure that they appropriately review and secure audit trails, and they use the proper tools to collect, monitor, and review audit trails.

Protecting audit logs and audit trails prevent intruders from tampering with the audit records and protecting their integrity. Not safeguarding audit logs and audit trails can allow hackers or malevolent insiders to cover their electronic tracks, making it difficult for regulated entities to not only recover from breaches, but to prevent them before they happen.

 

The HIPAA Security Rule does not identify what information should be collected from an audit log or trail or how often the audit reports should be reviewed. When determining reasonable and appropriate audit controls for information systems containing or using ePHI, regulated entities must consider their risk analysis results and organizational factors, such as:

  • Technical infrastructure
  • Hardware
  • Software security

Audit Trails Examples

Different types of audit trails your practice should consider, including:

  • Application audit trails – Normally monitor and log user activities in the application. This includes the application data files opened and closed, and the creating, reading, editing, and deleting of application records associated with ePHI.
  • System-level audit trails – Usually capture successful or unsuccessful log-on attempts, log-on ID/username, date and time of each log-on/off attempt, devices used to log-on, and the application the user successfully or unsuccessfully accessed.
  • User audit trails – Normally monitor and log user activity in a ePHI system or application by recording events initiated by the user, such as all commands directly initiated by the user, log on attempts with identification and authentication, and access to ePHI files and resources.

It is important to point out that although the HIPAA Security Rule does not identify data that must be gathered by the audit controls or how often the audit reports should be reviewed. 

A regulated entity must consider its risk analysis and organizational factors, such as current technical infrastructure, hardware and software security capabilities, to determine reasonable and appropriate audit controls for information systems that contain or use ePHI.

Is Anyone Looking at the Audit Logs?

There are several reasons to implement and monitor audit controls. Over the last few weeks I’ve shared several of them, here are two:

  1. Doctor accessed medical records without authorization AND gave some of that PHI to an ATTORNEY!!
  2. Nurse viewed 13,000 patients’ medical records without authorization for 15 Months!!

How do you know if, or who, is snooping in your medical records? . . Audit Logs! . .

But it Doesn't End There!

 

Regulated entities should review and secure audit logs/trails, and use proper tools to collect, monitor, and review audit logs/trails. But, the HIPAA Security Rule does not identify what information should be collected in an audit log/trail or how often the audit reports should be reviewed.

Each regulated entity must consider their complete and thorough risk analysis results and organizational factors, such as their current technical infrastructure, hardware, and software security capabilities. The majority of information systems provide some level of audit controls with a reporting method, such as audit reports.

These controls are useful for recording and examining information system activity which also includes users and applications activity. It is important to protect your audit logs and trails to prevent intruders from tampering with the audit records and protecting their integrity.

Not safeguarding audit logs and audit trails can allow hackers or insider threats to cover their tracks electronically, making it difficult for regulated entities to not only recover from incidents or breaches, but to prevent them before they happen.

Add Your Heading Text Here


Understanding the Importance of Audit Controls

The HIPAA Security Rule provision on Audit Controls (45 C.F.R. § 164.312(b)) requires regulated entities to apply hardware, software, and/or procedural mechanisms that record and examine activity within information systems that contain or use electronic protected health information (ePHI).

Audit controls produce audit reports which work in conjunction with audit logs and audit trails. Audit logs and audit trails assist CEs and BAs in reducing associated risks by:

  • → Tracking inappropriate access
  • → Tracking unauthorized disclosures of ePHI
  • → Detecting performance problems and flaws in applications
  • → Detecting potential intrusions and other malicious activity
  • → Providing forensic evidence during security incidents and breach investigations

 

It is imperative for regulated entities to review their audit trails regularly, both particularly after security incidents or breaches, and during real-time operations. Regular review of information system activity should promote awareness of any information system activity that could suggest a security incident or breach. Access to audit trails should be strictly restricted, and should be provided only to authorized personnel.

Covered Entities and Business Associates need to understand your patients are entrusting YOU with their most private and intimate details, they expect it to remain secure.

Something to Ponder ...

Something to Ponder

Sample Audit Control questions for covered entities to consider: 

 What audit control mechanisms are reasonable and appropriate to implement so as to record and examine activity in information systems that contain or use EPHI? 

 What are the audit control capabilities of information systems with EPHI? 

 Do the audit controls implemented allow the organization to adhere to policy and procedures developed to comply with the required implementation specification at § 164.308(a)(1)(ii)(D) for Information System Activity Review?