HIPAA Tips from HIPAA Secure Now

This month's topic: Logs

Breaches of ePHI can be caused by mistakes (someone loses a laptop) or by a bad actor (hacker, rogue employee). Let’s take the case of the rogue employee – what can be done? As an example, here is an article that describes two recent breaches caused by employees. What could have been done to prevent this? These employees caused these breaches over time. Was anyone checking on the access? Most likely not. Did these providers know if the employees were accessing the system at 3 AM from home? Was the employee looking at an unusually large volume of records? Was the employee looking at records they had no business reason to access? Therein lies the value of checking access logs; spotting potential problems before they become real problems. When your employees know their access is logged, and the logs are regularly checked, it reduces their temptation to do anything inappropriate.

It is not uncommon for organizations to discover and report breaches a year or two after they happened, because they delayed or failed to check their logs. Don’t let this happen to you.

Computer logs can be voluminous and difficult to interpret. So you have to be very smart when checking logs, in order to minimize time spent on this. You need a reporting system that can summarize who accessed the system over a certain time frame, and other relevant information. Preferably the report would only point out what MIGHT be unauthorized access, so you can investigate further. Check with your IT staff, IT provider and your software vendors on how to optimize reports to analyze logs and system access.

Here are some commonly asked questions about logs:

Q. Is this really a HIPAA requirement?

A. Yes, here are the sections of the HIPAA Security Rule that discuss this:

• Section 164.308(a)(1)(ii)(d): Information system activity review (Required). Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.

• Section 164.308(a)(5)(ii)(c): Log-in monitoring (Addressable). Procedures for monitoring log-in attempts and reporting discrepancies.

• Section 164.312(b): Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.

Q. How often should I run the reports?

A. As with a lot of items in HIPAA, it is up to your discretion. Once per month is probably fine, but think through your situation and what is best for you.

Q. Which systems should I run reports on?

A. All systems that contain ePHI. Hopefully your software vendors are aware of this type of requirement for HIPAA and have reports already designed for this purpose.

Q. What information should the reports contain?

A. This is up to you, but the goal you are trying to achieve is to be able to determine if inappropriate access has occurred. Some of the information that could be analyzed includes:

• What time an employee logs in.

• From where (local or remote)

• The number of failed login attempts on a computer or a specific ID

• Who downloaded new software, and when

• When and how often passwords are changed

• What information was accessed by the person logged in

• What protected health information (PHI) was changed and by whom

Q. What do I do if I suspect something is wrong?

A. Review the information with your IT staff, IT vendor or software vendor to see if they agree with your conclusions. If you still think something is wrong, contact HIPAA Secure Now! and we can review the situation with you.

Q. What do I do with the reports once I have reviewed them?

A. Best practice would be to upload them to the HIPAA Secure Now! portal. Make sure the report indicates the time frame of the analysis, date of the analysis and who performed the analysis. In the event that you ever do have a breach, investigators will ask you for a copy of your log reviews. Being able to produce these will tremendously improve your standing in the case of an investigation or audit.

Q. How long should this take?

A. Properly configured reports should only take a few minutes to run and analyze assuming no irregularities are discovered.

Q. Is there any other value to this?

A. Yes! This is something that every organization should be doing (regardless of what industry they are in). This is a best practice for cyber-security. Don’t think there is no value in this– early discovery and prevention of problems will avoid enormous time and expense later.