Category: Security

Security : Auditing and HIPAA compliance for Health domain

HIPAA stands for the Health Insurance Portability and Accountability Act, and is a set of mandates that were introduced to protect sensitive patient information. Any US organisation, including subcontractors and business associates, that deals with protected health information (PHI), must comply with HIPAA.

There are two main rules associated with HIPAA, these are: The Privacy Rule and the Security Rule.

The Privacy Rule relates to the saving, accessing and sharing of personal information, whereas the Security Rule defines the standards for protecting health information that is created, received, or transmitted electronically. Such information is otherwise referred to as electronic protected health information (ePHI).

Organisations may wish to host their data with a third-party provider. These hosting providers must also comply with the HIPAA regulations. There must be physical safeguards in place, which restrict access, and provide policies relating to workstations and electronic media. Likewise, there must also be technical safeguards put in place which prevent unauthorised access, encrypt data transmission and provide audit reports about relevant system changes. There must also be policies in place to deal with disaster recovery and offsite backup.

Failure to comply with the HIPAA regulations could result in hefty fines being issued by the Office for Civil Rights (OCR). Likewise, lawsuits may be filed in the event of an ePHI breach. Organisations must report any breach to both the OCR and the patients involved.

To comply with the HIPPA, it is very important that you are using a sophisticated suite of auditing tools in order to monitor system activity. You will need to be able audit and provide reports about who logged in to your system, where they logged in from, when they logged in, and what protected health information (PHI) was accessed when they logged in. You will also need to audit password changes and failed login attempts. Additionally, you will need to know when the last time your system software was updated, what programs have been installed, by whom, and when.

Below are some examples which illustrate the importance of such auditing operations:

Scenario 1: It is common for attackers to try to guess a system password by trying out a large number of username and password combinations. Your system can record these attempts, and look for patterns which suggest that the activity is suspicious. For example, if the system recorded 1,000 failed password attempts within 5 minutes, you can be fairly sure that it was an attack. Auditing solutions, such as those provided by Lepide, use real-time threshold alerting to quickly identify such attacks.

Scenario 2: Back in 2013, Walgreens – the second-largest pharmacy store chain in the United States – were requested to pay a fine of $1.4 Million as a result of a breach of confidential patient information. Were they able to quickly determine who was accessing the confidential information, and when, this would have helped mitigate the damage caused by this kind of breach.

Scenario 3: The HIPAA auditor will request that you provide evidence that you have a record of your organisation’s audit log for six years or more. They will want verification that all crucial information is included, and that there has been daily reviews carried out. Relying on the native system logs to provide such verification would be a very cumbersome routine. Most modern auditing tools enable administrators to carry out such tasks with ease.

Scenario 4: Finally, in the event of a security breach, auditing the system logs will help forensic investigators find out the cause of the attack, and propose a strategy for strengthening the security policy, thus mitigating future attacks. Without the ability to clearly analyse the logs, investigators would have to assume that all records were subject to the breach.